From 8e998b1eb5fea53f2a2eddd9f7f2b8ab004406f3 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Fri, 16 May 2014 14:13:43 +0000 Subject: [PATCH] zebra: raise the privileges before calling socket() Because of recent changes when creating AF_NETLINK socket, kernel will cache capabilities of the caller and if file descriptor is used or otherwise handed to another process it will check that current user has necessary capabilities to use the socket. Hence we need to ensure we have necessary capabilities when creating the socket and at the time we use the socket. See: http://www.spinics.net/lists/netdev/msg280198.html Signed-off-by: Michal Sekletar Signed-off-by: David Lamparter --- zebra/rt_netlink.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/zebra/rt_netlink.c b/zebra/rt_netlink.c index ba0b0d7de2..6a802f6906 100644 --- a/zebra/rt_netlink.c +++ b/zebra/rt_netlink.c @@ -162,6 +162,12 @@ netlink_socket (struct nlsock *nl, unsigned long groups) int namelen; int save_errno; + if (zserv_privs.change (ZPRIVS_RAISE)) + { + zlog (NULL, LOG_ERR, "Can't raise privileges"); + return -1; + } + sock = socket (AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); if (sock < 0) { @@ -175,12 +181,6 @@ netlink_socket (struct nlsock *nl, unsigned long groups) snl.nl_groups = groups; /* Bind the socket to the netlink structure for anything. */ - if (zserv_privs.change (ZPRIVS_RAISE)) - { - zlog (NULL, LOG_ERR, "Can't raise privileges"); - return -1; - } - ret = bind (sock, (struct sockaddr *) &snl, sizeof snl); save_errno = errno; if (zserv_privs.change (ZPRIVS_LOWER)) -- 2.39.5