From 3bc34908e86ee01f8eb4f8d39a4075c865d56370 Mon Sep 17 00:00:00 2001 From: Philippe Guibert Date: Tue, 13 Mar 2018 15:26:03 +0100 Subject: [PATCH] lib: privileges are granted to vty netns command Vty commands that link netns context to a vrf is requiring some privileges. The change consists in retrieving the privileges at the vrf_cmd_init() called by the relevant daemon. Then use it. Signed-off-by: Philippe Guibert --- lib/vrf.c | 20 +++++++++++++++++--- lib/vrf.h | 3 ++- pimd/pim_instance.c | 2 +- zebra/zebra_vrf.c | 3 ++- 4 files changed, 22 insertions(+), 6 deletions(-) diff --git a/lib/vrf.c b/lib/vrf.c index f8e5a97904..6002aee514 100644 --- a/lib/vrf.c +++ b/lib/vrf.c @@ -33,6 +33,7 @@ #include "memory.h" #include "command.h" #include "ns.h" +#include "privs.h" /* default VRF ID value used when VRF backend is not NETNS */ #define VRF_DEFAULT_INTERNAL 0 @@ -52,6 +53,7 @@ struct vrf_id_head vrfs_by_id = RB_INITIALIZER(&vrfs_by_id); struct vrf_name_head vrfs_by_name = RB_INITIALIZER(&vrfs_by_name); static int vrf_backend; +static struct zebra_privs_t *vrf_daemon_privs; /* * Turn on/off debug code @@ -690,14 +692,24 @@ DEFUN_NOSH (vrf_netns, "Attach VRF to a Namespace\n" "The file name in " NS_RUN_DIR ", or a full pathname\n") { - int idx_name = 1; + int idx_name = 1, ret; char *pathname = ns_netns_pathname(vty, argv[idx_name]->arg); VTY_DECLVAR_CONTEXT(vrf, vrf); if (!pathname) return CMD_WARNING_CONFIG_FAILED; - return vrf_netns_handler_create(vty, vrf, pathname, NS_UNKNOWN); + + if (vrf_daemon_privs && + vrf_daemon_privs->change(ZPRIVS_RAISE)) + zlog_err("%s: Can't raise privileges", __func__); + + ret = vrf_netns_handler_create(vty, vrf, pathname, NS_UNKNOWN); + + if (vrf_daemon_privs && + vrf_daemon_privs->change(ZPRIVS_LOWER)) + zlog_err("%s: Can't lower privileges", __func__); + return ret; } DEFUN (no_vrf_netns, @@ -779,7 +791,8 @@ void vrf_install_commands(void) install_element(ENABLE_NODE, &no_vrf_debug_cmd); } -void vrf_cmd_init(int (*writefunc)(struct vty *vty)) +void vrf_cmd_init(int (*writefunc)(struct vty *vty), + struct zebra_privs_t *daemon_privs) { install_element(CONFIG_NODE, &vrf_cmd); install_element(CONFIG_NODE, &no_vrf_cmd); @@ -787,6 +800,7 @@ void vrf_cmd_init(int (*writefunc)(struct vty *vty)) install_default(VRF_NODE); if (vrf_is_backend_netns() && ns_have_netns()) { /* Install NS commands. */ + vrf_daemon_privs = daemon_privs; install_element(VRF_NODE, &vrf_netns_cmd); install_element(VRF_NODE, &no_vrf_netns_cmd); } diff --git a/lib/vrf.h b/lib/vrf.h index 6482740aa1..617405a77e 100644 --- a/lib/vrf.h +++ b/lib/vrf.h @@ -242,7 +242,8 @@ extern int vrf_switchback_to_initial(void); /* VRF vty command initialisation */ -extern void vrf_cmd_init(int (*writefunc)(struct vty *vty)); +extern void vrf_cmd_init(int (*writefunc)(struct vty *vty), + struct zebra_privs_t *daemon_priv); /* VRF vty debugging */ diff --git a/pimd/pim_instance.c b/pimd/pim_instance.c index f92da7fe70..60a3308a00 100644 --- a/pimd/pim_instance.c +++ b/pimd/pim_instance.c @@ -214,7 +214,7 @@ void pim_vrf_init(void) { vrf_init(pim_vrf_new, pim_vrf_enable, pim_vrf_disable, pim_vrf_delete); - vrf_cmd_init(pim_vrf_config_write); + vrf_cmd_init(pim_vrf_config_write, &pimd_privs); } void pim_vrf_terminate(void) diff --git a/zebra/zebra_vrf.c b/zebra/zebra_vrf.c index 9e13f4ed6e..64585c4c1a 100644 --- a/zebra/zebra_vrf.c +++ b/zebra/zebra_vrf.c @@ -39,6 +39,7 @@ #include "zebra/interface.h" #include "zebra/zebra_mpls.h" #include "zebra/zebra_vxlan.h" +#include "zebra/zebra_netns_notify.h" extern struct zebra_t zebrad; @@ -587,5 +588,5 @@ void zebra_vrf_init(void) vrf_init(zebra_vrf_new, zebra_vrf_enable, zebra_vrf_disable, zebra_vrf_delete); - vrf_cmd_init(vrf_config_write); + vrf_cmd_init(vrf_config_write, &zserv_privs); } -- 2.39.5