|
|
63f996c |
From 2f75e4c0a33f61e8514c09c69ce896681476df85 Mon Sep 17 00:00:00 2001
|
|
|
63f996c |
From: Michal Sekletar <msekleta@redhat.com>
|
|
|
63f996c |
Date: Thu, 15 May 2014 16:24:03 +0200
|
|
|
63f996c |
Subject: [PATCH] zebra: raise the privileges before calling socket()
|
|
|
63f996c |
|
|
|
63f996c |
Because of recent changes when creating AF_NETLINK socket, kernel will
|
|
|
63f996c |
cache capabilities of the caller and if file descriptor is used or
|
|
|
63f996c |
otherwise handed to another process it will check that current user has
|
|
|
63f996c |
necessary capabilities to use the socket. Hence we need to ensure we
|
|
|
63f996c |
have necessary capabilities when creating the socket and at the time we
|
|
|
63f996c |
use the socket.
|
|
|
63f996c |
|
|
|
63f996c |
See: http://www.spinics.net/lists/netdev/msg280198.html
|
|
|
63f996c |
---
|
|
|
63f996c |
zebra/rt_netlink.c | 14 +++++++-------
|
|
|
63f996c |
1 file changed, 7 insertions(+), 7 deletions(-)
|
|
|
63f996c |
|
|
|
63f996c |
diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
|
|
|
63f996c |
index ba0b0d7..9855c9e 100644
|
|
|
63f996c |
--- a/zebra/rt_netlink.c
|
|
|
63f996c |
+++ b/zebra/rt_netlink.c
|
|
|
63f996c |
@@ -162,6 +162,13 @@ netlink_socket (struct nlsock *nl, unsigned long groups)
|
|
|
63f996c |
int namelen;
|
|
|
63f996c |
int save_errno;
|
|
|
63f996c |
|
|
|
63f996c |
+ /* Bind the socket to the netlink structure for anything. */
|
|
|
63f996c |
+ if (zserv_privs.change (ZPRIVS_RAISE))
|
|
|
63f996c |
+ {
|
|
|
63f996c |
+ zlog (NULL, LOG_ERR, "Can't raise privileges");
|
|
|
63f996c |
+ return -1;
|
|
|
63f996c |
+ }
|
|
|
63f996c |
+
|
|
|
63f996c |
sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
|
|
|
63f996c |
if (sock < 0)
|
|
|
63f996c |
{
|
|
|
63f996c |
@@ -174,13 +181,6 @@ netlink_socket (struct nlsock *nl, unsigned long groups)
|
|
|
63f996c |
snl.nl_family = AF_NETLINK;
|
|
|
63f996c |
snl.nl_groups = groups;
|
|
|
63f996c |
|
|
|
63f996c |
- /* Bind the socket to the netlink structure for anything. */
|
|
|
63f996c |
- if (zserv_privs.change (ZPRIVS_RAISE))
|
|
|
63f996c |
- {
|
|
|
63f996c |
- zlog (NULL, LOG_ERR, "Can't raise privileges");
|
|
|
63f996c |
- return -1;
|
|
|
63f996c |
- }
|
|
|
63f996c |
-
|
|
|
63f996c |
ret = bind (sock, (struct sockaddr *) &snl, sizeof snl);
|
|
|
63f996c |
save_errno = errno;
|
|
|
63f996c |
if (zserv_privs.change (ZPRIVS_LOWER))
|
|
|
63f996c |
--
|
|
|
63f996c |
1.8.3.1
|
|
|
63f996c |
|