diff --git a/0001-zebra-raise-the-privileges-before-calling-socket.patch b/0001-zebra-raise-the-privileges-before-calling-socket.patch new file mode 100644 index 0000000..1c4e914 --- /dev/null +++ b/0001-zebra-raise-the-privileges-before-calling-socket.patch @@ -0,0 +1,52 @@ +From 2f75e4c0a33f61e8514c09c69ce896681476df85 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 15 May 2014 16:24:03 +0200 +Subject: [PATCH] zebra: raise the privileges before calling socket() + +Because of recent changes when creating AF_NETLINK socket, kernel will +cache capabilities of the caller and if file descriptor is used or +otherwise handed to another process it will check that current user has +necessary capabilities to use the socket. Hence we need to ensure we +have necessary capabilities when creating the socket and at the time we +use the socket. + +See: http://www.spinics.net/lists/netdev/msg280198.html +--- + zebra/rt_netlink.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c +index ba0b0d7..9855c9e 100644 +--- a/zebra/rt_netlink.c ++++ b/zebra/rt_netlink.c +@@ -162,6 +162,13 @@ netlink_socket (struct nlsock *nl, unsigned long groups) + int namelen; + int save_errno; + ++ /* Bind the socket to the netlink structure for anything. */ ++ if (zserv_privs.change (ZPRIVS_RAISE)) ++ { ++ zlog (NULL, LOG_ERR, "Can't raise privileges"); ++ return -1; ++ } ++ + sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); + if (sock < 0) + { +@@ -174,13 +181,6 @@ netlink_socket (struct nlsock *nl, unsigned long groups) + snl.nl_family = AF_NETLINK; + snl.nl_groups = groups; + +- /* Bind the socket to the netlink structure for anything. */ +- if (zserv_privs.change (ZPRIVS_RAISE)) +- { +- zlog (NULL, LOG_ERR, "Can't raise privileges"); +- return -1; +- } +- + ret = bind (sock, (struct sockaddr *) &snl, sizeof snl); + save_errno = errno; + if (zserv_privs.change (ZPRIVS_LOWER)) +-- +1.8.3.1 + diff --git a/quagga.spec b/quagga.spec index b55ed4b..3d55067 100644 --- a/quagga.spec +++ b/quagga.spec @@ -7,7 +7,7 @@ Name: quagga Version: 0.99.22.4 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Routing daemon License: GPLv2+ Group: System Environment/Daemons @@ -27,6 +27,7 @@ Provides: routingdaemon = %{version}-%{release} Obsoletes: quagga-sysvinit Patch0: 0001-systemd-change-the-WantedBy-target.patch +Patch1: 0001-zebra-raise-the-privileges-before-calling-socket.patch %define __perl_requires %{SOURCE1} @@ -64,6 +65,7 @@ developing OSPF-API and quagga applications. %setup -q %patch0 -p1 +%patch1 -p1 %build %configure \ @@ -225,6 +227,9 @@ fi %{_includedir}/quagga/ospfd/*.h %changelog +* Mon May 26 2014 Michal Sekletar - 0.99.22.4-4 +- raise privileges before creating netlink socket (#1097684) + * Thu Jan 29 2014 Michal Sekletar - 0.99.22.4-3 - fix source url - fix date in the changelog