Because of recent changes when creating AF_NETLINK socket, kernel will
cache capabilities of the caller and if file descriptor is used or
otherwise handed to another process it will check that current user has
necessary capabilities to use the socket. Hence we need to ensure we
have necessary capabilities when creating the socket and at the time we
use the socket.
See: http://www.spinics.net/lists/netdev/msg280198.html
Signed-off-by: Michal Sekletar <msekleta@redhat.com>
---
V2: added signed-off-by
zebra/rt_netlink.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index ba0b0d7..9855c9e 100644
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -162,6 +162,13 @@ netlink_socket (struct nlsock *nl, unsigned long groups)
int namelen;
int save_errno;
+ /* Bind the socket to the netlink structure for anything. */
+ if (zserv_privs.change (ZPRIVS_RAISE))
+ {
+ zlog (NULL, LOG_ERR, "Can't raise privileges");
+ return -1;
+ }
+
sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock < 0)
{
@@ -174,13 +181,6 @@ netlink_socket (struct nlsock *nl, unsigned long groups)
snl.nl_family = AF_NETLINK;
snl.nl_groups = groups;
- /* Bind the socket to the netlink structure for anything. */
- if (zserv_privs.change (ZPRIVS_RAISE))
- {
- zlog (NULL, LOG_ERR, "Can't raise privileges");
- return -1;
- }
-
ret = bind (sock, (struct sockaddr *) &snl, sizeof snl);
save_errno = errno;
if (zserv_privs.change (ZPRIVS_LOWER))
--
1.8.3.1
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev
cache capabilities of the caller and if file descriptor is used or
otherwise handed to another process it will check that current user has
necessary capabilities to use the socket. Hence we need to ensure we
have necessary capabilities when creating the socket and at the time we
use the socket.
See: http://www.spinics.net/lists/netdev/msg280198.html
Signed-off-by: Michal Sekletar <msekleta@redhat.com>
---
V2: added signed-off-by
zebra/rt_netlink.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c
index ba0b0d7..9855c9e 100644
--- a/zebra/rt_netlink.c
+++ b/zebra/rt_netlink.c
@@ -162,6 +162,13 @@ netlink_socket (struct nlsock *nl, unsigned long groups)
int namelen;
int save_errno;
+ /* Bind the socket to the netlink structure for anything. */
+ if (zserv_privs.change (ZPRIVS_RAISE))
+ {
+ zlog (NULL, LOG_ERR, "Can't raise privileges");
+ return -1;
+ }
+
sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
if (sock < 0)
{
@@ -174,13 +181,6 @@ netlink_socket (struct nlsock *nl, unsigned long groups)
snl.nl_family = AF_NETLINK;
snl.nl_groups = groups;
- /* Bind the socket to the netlink structure for anything. */
- if (zserv_privs.change (ZPRIVS_RAISE))
- {
- zlog (NULL, LOG_ERR, "Can't raise privileges");
- return -1;
- }
-
ret = bind (sock, (struct sockaddr *) &snl, sizeof snl);
save_errno = errno;
if (zserv_privs.change (ZPRIVS_LOWER))
--
1.8.3.1
_______________________________________________
Quagga-dev mailing list
Quagga-dev@lists.quagga.net
https://lists.quagga.net/mailman/listinfo/quagga-dev