From 2f75e4c0a33f61e8514c09c69ce896681476df85 Mon Sep 17 00:00:00 2001

From: Michal Sekletar <msekleta@redhat.com>

Date: Thu, 15 May 2014 16:24:03 +0200

Subject: [PATCH] zebra: raise the privileges before calling socket()

Because of recent changes when creating AF_NETLINK socket, kernel will

cache capabilities of the caller and if file descriptor is used or

otherwise handed to another process it will check that current user has

necessary capabilities to use the socket. Hence we need to ensure we

have necessary capabilities when creating the socket and at the time we

use the socket.

See: http://www.spinics.net/lists/netdev/msg280198.html

---

 zebra/rt_netlink.c | 14 +++++++-------

 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c

index ba0b0d7..9855c9e 100644

--- a/zebra/rt_netlink.c

+++ b/zebra/rt_netlink.c

@@ -162,6 +162,13 @@ netlink_socket (struct nlsock *nl, unsigned long groups)

   int namelen;

   int save_errno;

+  /* Bind the socket to the netlink structure for anything. */

+  if (zserv_privs.change (ZPRIVS_RAISE))

+    {

+      zlog (NULL, LOG_ERR, "Can't raise privileges");

+      return -1;

+    }

+

   sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);

   if (sock < 0)

     {

@@ -174,13 +181,6 @@ netlink_socket (struct nlsock *nl, unsigned long groups)

   snl.nl_family = AF_NETLINK;

   snl.nl_groups = groups;

-  /* Bind the socket to the netlink structure for anything. */

-  if (zserv_privs.change (ZPRIVS_RAISE))

-    {

-      zlog (NULL, LOG_ERR, "Can't raise privileges");

-      return -1;

-    }

-

   ret = bind (sock, (struct sockaddr *) &snl, sizeof snl);

   save_errno = errno;

   if (zserv_privs.change (ZPRIVS_LOWER))

-- 

1.8.3.1