*: use frr_elevate_privs() (1/2: coccinelle)

Signed-off-by: David Lamparter <equinox@diac24.net>
author: David Lamparter <equinox@opensourcerouting.org> 2018-08-10 18:36:43 +0200
committer: Quentin Young <qlyoung@cumulusnetworks.com> 2018-08-14 20:02:05 +0000
commit: 01b9e3fd0d354d7d4c60b1c0240f269a4fd08990 (patch)
tree: 7758a10d2c803e86348e04e908f73b63c0048b96 /zebra
parent: 6017c3a2e71304381af5cfa5020b4a1358ee098b (diff)
14 files changed, 190 insertions, 321 deletions
diff --git a/zebra/if_ioctl_solaris.c b/zebra/if_ioctl_solaris.c
index 3b3064490e..ee7f22e780 100644
--- a/zebra/if_ioctl_solaris.c
+++ b/zebra/if_ioctl_solaris.c
@@ -59,29 +59,24 @@ static int interface_list_ioctl(int af)
 	size_t needed, lastneeded = 0;
 	char *buf = NULL;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-
-	sock = socket(af, SOCK_DGRAM, 0);
-	if (sock < 0) {
-		zlog_warn("Can't make %s socket stream: %s",
-			  (af == AF_INET ? "AF_INET" : "AF_INET6"),
-			  safe_strerror(errno));
+	frr_elevate_privs(&zserv_privs) {
 
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+		sock = socket(af, SOCK_DGRAM, 0);
+		if (sock < 0) {
+			zlog_warn("Can't make %s socket stream: %s",
+				  (af == AF_INET ? "AF_INET" : "AF_INET6"),
+				  safe_strerror(errno));
 
-		return -1;
-	}
+			return -1;
+		}
 
 calculate_lifc_len: /* must hold privileges to enter here */
-	lifn.lifn_family = af;
-	lifn.lifn_flags = LIFC_NOXMIT; /* we want NOXMIT interfaces too */
-	ret = ioctl(sock, SIOCGLIFNUM, &lifn);
-	save_errno = errno;
+		lifn.lifn_family = af;
+		lifn.lifn_flags = LIFC_NOXMIT; /* we want NOXMIT interfaces too */
+		ret = ioctl(sock, SIOCGLIFNUM, &lifn);
+		save_errno = errno;
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	}
 
 	if (ret < 0) {
 		zlog_warn("interface_list_ioctl: SIOCGLIFNUM failed %s",
diff --git a/zebra/if_netlink.c b/zebra/if_netlink.c
index e09d30a207..c0da066aa0 100644
--- a/zebra/if_netlink.c
+++ b/zebra/if_netlink.c
@@ -375,20 +375,19 @@ static int get_iflink_speed(struct interface *interface)
 	ifdata.ifr_data = (caddr_t)&ecmd;
 
 	/* use ioctl to get IP address of an interface */
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	sd = vrf_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP, interface->vrf_id,
-			NULL);
-	if (sd < 0) {
-		if (IS_ZEBRA_DEBUG_KERNEL)
-			zlog_debug("Failure to read interface %s speed: %d %s",
-				   ifname, errno, safe_strerror(errno));
-		return 0;
-	}
+	frr_elevate_privs(&zserv_privs) {
+		sd = vrf_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP,
+				interface->vrf_id,
+				NULL);
+		if (sd < 0) {
+			if (IS_ZEBRA_DEBUG_KERNEL)
+				zlog_debug("Failure to read interface %s speed: %d %s",
+					   ifname, errno, safe_strerror(errno));
+			return 0;
+		}
 	/* Get the current link state for the interface */
-	rc = vrf_ioctl(interface->vrf_id, sd, SIOCETHTOOL, (char *)&ifdata);
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+		rc = vrf_ioctl(interface->vrf_id, sd, SIOCETHTOOL, (char *)&ifdata);
+	}
 	if (rc < 0) {
 		if (IS_ZEBRA_DEBUG_KERNEL)
 			zlog_debug(
diff --git a/zebra/ioctl.c b/zebra/ioctl.c
index 4804d42fd6..0469bc38c0 100644
--- a/zebra/ioctl.c
+++ b/zebra/ioctl.c
@@ -55,22 +55,16 @@ int if_ioctl(unsigned long request, caddr_t buffer)
 	int ret;
 	int err = 0;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	sock = socket(AF_INET, SOCK_DGRAM, 0);
-	if (sock < 0) {
-		int save_errno = errno;
-
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		flog_err_sys(LIB_ERR_SOCKET, "Cannot create UDP socket: %s",
-			     safe_strerror(save_errno));
-		exit(1);
+	frr_elevate_privs(&zserv_privs) {
+		sock = socket(AF_INET, SOCK_DGRAM, 0);
+		if (sock < 0) {
+			zlog_err("Cannot create UDP socket: %s",
+				 safe_strerror(errno));
+			exit(1);
+		}
+		if ((ret = ioctl(sock, request, buffer)) < 0)
+			err = errno;
 	}
-	if ((ret = ioctl(sock, request, buffer)) < 0)
-		err = errno;
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
 	close(sock);
 
 	if (ret < 0) {
@@ -87,23 +81,17 @@ int vrf_if_ioctl(unsigned long request, caddr_t buffer, vrf_id_t vrf_id)
 	int ret;
 	int err = 0;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	sock = vrf_socket(AF_INET, SOCK_DGRAM, 0, vrf_id, NULL);
-	if (sock < 0) {
-		int save_errno = errno;
-
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		flog_err_sys(LIB_ERR_SOCKET, "Cannot create UDP socket: %s",
-			     safe_strerror(save_errno));
-		exit(1);
+	frr_elevate_privs(&zserv_privs) {
+		sock = vrf_socket(AF_INET, SOCK_DGRAM, 0, vrf_id, NULL);
+		if (sock < 0) {
+			zlog_err("Cannot create UDP socket: %s",
+				 safe_strerror(errno));
+			exit(1);
+		}
+		ret = vrf_ioctl(vrf_id, sock, request, buffer);
+		if (ret < 0)
+			err = errno;
 	}
-	ret = vrf_ioctl(vrf_id, sock, request, buffer);
-	if (ret < 0)
-		err = errno;
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
 	close(sock);
 
 	if (ret < 0) {
@@ -120,24 +108,17 @@ static int if_ioctl_ipv6(unsigned long request, caddr_t buffer)
 	int ret;
 	int err = 0;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	sock = socket(AF_INET6, SOCK_DGRAM, 0);
-	if (sock < 0) {
-		int save_errno = errno;
-
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		flog_err_sys(LIB_ERR_SOCKET,
-			     "Cannot create IPv6 datagram socket: %s",
-			     safe_strerror(save_errno));
-		exit(1);
-	}
+	frr_elevate_privs(&zserv_privs) {
+		sock = socket(AF_INET6, SOCK_DGRAM, 0);
+		if (sock < 0) {
+			zlog_err("Cannot create IPv6 datagram socket: %s",
+				 safe_strerror(errno));
+			exit(1);
+		}
 
-	if ((ret = ioctl(sock, request, buffer)) < 0)
-		err = errno;
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+		if ((ret = ioctl(sock, request, buffer)) < 0)
+			err = errno;
+	}
 	close(sock);
 
 	if (ret < 0) {
diff --git a/zebra/ioctl_solaris.c b/zebra/ioctl_solaris.c
index 1ba37f2db5..260911ce67 100644
--- a/zebra/ioctl_solaris.c
+++ b/zebra/ioctl_solaris.c
@@ -58,24 +58,19 @@ int if_ioctl(unsigned long request, caddr_t buffer)
 	int ret;
 	int err;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-
-	sock = socket(AF_INET, SOCK_DGRAM, 0);
-	if (sock < 0) {
-		int save_errno = errno;
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		flog_err_sys(LIB_ERR_SOCKET, "Cannot create UDP socket: %s",
-			     safe_strerror(save_errno));
-		exit(1);
-	}
+	frr_elevate_privs(&zserv_privs) {
+
+		sock = socket(AF_INET, SOCK_DGRAM, 0);
+		if (sock < 0) {
+			zlog_err("Cannot create UDP socket: %s",
+				 safe_strerror(errno));
+			exit(1);
+		}
 
-	if ((ret = ioctl(sock, request, buffer)) < 0)
-		err = errno;
+		if ((ret = ioctl(sock, request, buffer)) < 0)
+			err = errno;
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	}
 
 	close(sock);
 
@@ -93,25 +88,19 @@ int if_ioctl_ipv6(unsigned long request, caddr_t buffer)
 	int ret;
 	int err;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-
-	sock = socket(AF_INET6, SOCK_DGRAM, 0);
-	if (sock < 0) {
-		int save_errno = errno;
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		flog_err_sys(LIB_ERR_SOCKET,
-			     "Cannot create IPv6 datagram socket: %s",
-			     safe_strerror(save_errno));
-		exit(1);
-	}
+	frr_elevate_privs(&zserv_privs) {
+
+		sock = socket(AF_INET6, SOCK_DGRAM, 0);
+		if (sock < 0) {
+			zlog_err("Cannot create IPv6 datagram socket: %s",
+				 safe_strerror(errno));
+			exit(1);
+		}
 
-	if ((ret = ioctl(sock, request, buffer)) < 0)
-		err = errno;
+		if ((ret = ioctl(sock, request, buffer)) < 0)
+			err = errno;
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	}
 
 	close(sock);
 
diff --git a/zebra/ipforward_proc.c b/zebra/ipforward_proc.c
index fc27624410..3a766b1ea9 100644
--- a/zebra/ipforward_proc.c
+++ b/zebra/ipforward_proc.c
@@ -77,27 +77,19 @@ int ipforward_on(void)
 {
 	FILE *fp;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges, %s",
-			  safe_strerror(errno));
+	frr_elevate_privs(&zserv_privs) {
 
-	fp = fopen(proc_ipv4_forwarding, "w");
+		fp = fopen(proc_ipv4_forwarding, "w");
 
-	if (fp == NULL) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES,
-				  "Can't lower privileges, %s",
-				  safe_strerror(errno));
-		return -1;
-	}
+		if (fp == NULL) {
+			return -1;
+		}
 
-	fprintf(fp, "1\n");
+		fprintf(fp, "1\n");
 
-	fclose(fp);
+		fclose(fp);
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges, %s",
-			  safe_strerror(errno));
+	}
 
 	return ipforward();
 }
@@ -106,27 +98,19 @@ int ipforward_off(void)
 {
 	FILE *fp;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges, %s",
-			  safe_strerror(errno));
+	frr_elevate_privs(&zserv_privs) {
 
-	fp = fopen(proc_ipv4_forwarding, "w");
+		fp = fopen(proc_ipv4_forwarding, "w");
 
-	if (fp == NULL) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES,
-				  "Can't lower privileges, %s",
-				  safe_strerror(errno));
-		return -1;
-	}
+		if (fp == NULL) {
+			return -1;
+		}
 
-	fprintf(fp, "0\n");
+		fprintf(fp, "0\n");
 
-	fclose(fp);
+		fclose(fp);
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges, %s",
-			  safe_strerror(errno));
+	}
 
 	return ipforward();
 }
@@ -160,27 +144,19 @@ int ipforward_ipv6_on(void)
 {
 	FILE *fp;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges, %s",
-			  safe_strerror(errno));
+	frr_elevate_privs(&zserv_privs) {
 
-	fp = fopen(proc_ipv6_forwarding, "w");
+		fp = fopen(proc_ipv6_forwarding, "w");
 
-	if (fp == NULL) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES,
-				  "Can't lower privileges, %s",
-				  safe_strerror(errno));
-		return -1;
-	}
+		if (fp == NULL) {
+			return -1;
+		}
 
-	fprintf(fp, "1\n");
+		fprintf(fp, "1\n");
 
-	fclose(fp);
+		fclose(fp);
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges, %s",
-			  safe_strerror(errno));
+	}
 
 	return ipforward_ipv6();
 }
@@ -190,27 +166,19 @@ int ipforward_ipv6_off(void)
 {
 	FILE *fp;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges, %s",
-			  safe_strerror(errno));
+	frr_elevate_privs(&zserv_privs) {
 
-	fp = fopen(proc_ipv6_forwarding, "w");
+		fp = fopen(proc_ipv6_forwarding, "w");
 
-	if (fp == NULL) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES,
-				  "Can't lower privileges, %s",
-				  safe_strerror(errno));
-		return -1;
-	}
+		if (fp == NULL) {
+			return -1;
+		}
 
-	fprintf(fp, "0\n");
+		fprintf(fp, "0\n");
 
-	fclose(fp);
+		fclose(fp);
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges, %s",
-			  safe_strerror(errno));
+	}
 
 	return ipforward_ipv6();
 }
diff --git a/zebra/ipforward_solaris.c b/zebra/ipforward_solaris.c
index c44a1fb9c5..b06baa04a9 100644
--- a/zebra/ipforward_solaris.c
+++ b/zebra/ipforward_solaris.c
@@ -82,31 +82,21 @@ static int solaris_nd(const int cmd, const char *parameter, const int value)
 	strioctl.ic_len = ND_BUFFER_SIZE;
 	strioctl.ic_dp = nd_buf;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES,
-			  "solaris_nd: Can't raise privileges");
-	if ((fd = open(device, O_RDWR)) < 0) {
-		zlog_warn("failed to open device %s - %s", device,
-			  safe_strerror(errno));
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES,
-				  "solaris_nd: Can't lower privileges");
-		return -1;
-	}
-	if (ioctl(fd, I_STR, &strioctl) < 0) {
-		int save_errno = errno;
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES,
-				  "solaris_nd: Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		if ((fd = open(device, O_RDWR)) < 0) {
+			zlog_warn("failed to open device %s - %s", device,
+				  safe_strerror(errno));
+			return -1;
+		}
+		if (ioctl(fd, I_STR, &strioctl) < 0) {
+			close(fd);
+			zlog_warn("ioctl I_STR failed on device %s - %s",
+				  device,
+				  safe_strerror(errno));
+			return -1;
+		}
 		close(fd);
-		zlog_warn("ioctl I_STR failed on device %s - %s", device,
-			  safe_strerror(save_errno));
-		return -1;
 	}
-	close(fd);
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES,
-			  "solaris_nd: Can't lower privileges");
 
 	if (cmd == ND_GET) {
 		errno = 0;
diff --git a/zebra/ipforward_sysctl.c b/zebra/ipforward_sysctl.c
index f0eaa1acea..9fa6366411 100644
--- a/zebra/ipforward_sysctl.c
+++ b/zebra/ipforward_sysctl.c
@@ -54,16 +54,12 @@ int ipforward_on(void)
 	int ipforwarding = 1;
 
 	len = sizeof ipforwarding;
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	if (sysctl(mib, MIB_SIZ, NULL, NULL, &ipforwarding, len) < 0) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		zlog_warn("Can't set ipforwarding on");
-		return -1;
+	frr_elevate_privs(&zserv_privs) {
+		if (sysctl(mib, MIB_SIZ, NULL, NULL, &ipforwarding, len) < 0) {
+			zlog_warn("Can't set ipforwarding on");
+			return -1;
+		}
 	}
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
 	return ipforwarding;
 }
 
@@ -73,16 +69,12 @@ int ipforward_off(void)
 	int ipforwarding = 0;
 
 	len = sizeof ipforwarding;
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	if (sysctl(mib, MIB_SIZ, NULL, NULL, &ipforwarding, len) < 0) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		zlog_warn("Can't set ipforwarding on");
-		return -1;
+	frr_elevate_privs(&zserv_privs) {
+		if (sysctl(mib, MIB_SIZ, NULL, NULL, &ipforwarding, len) < 0) {
+			zlog_warn("Can't set ipforwarding on");
+			return -1;
+		}
 	}
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
 	return ipforwarding;
 }
 
@@ -101,16 +93,12 @@ int ipforward_ipv6(void)
 	int ip6forwarding = 0;
 
 	len = sizeof ip6forwarding;
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	if (sysctl(mib_ipv6, MIB_SIZ, &ip6forwarding, &len, 0, 0) < 0) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		zlog_warn("can't get ip6forwarding value");
-		return -1;
+	frr_elevate_privs(&zserv_privs) {
+		if (sysctl(mib_ipv6, MIB_SIZ, &ip6forwarding, &len, 0, 0) < 0) {
+			zlog_warn("can't get ip6forwarding value");
+			return -1;
+		}
 	}
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
 	return ip6forwarding;
 }
 
@@ -120,16 +108,12 @@ int ipforward_ipv6_on(void)
 	int ip6forwarding = 1;
 
 	len = sizeof ip6forwarding;
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	if (sysctl(mib_ipv6, MIB_SIZ, NULL, NULL, &ip6forwarding, len) < 0) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		zlog_warn("can't get ip6forwarding value");
-		return -1;
+	frr_elevate_privs(&zserv_privs) {
+		if (sysctl(mib_ipv6, MIB_SIZ, NULL, NULL, &ip6forwarding, len) < 0) {
+			zlog_warn("can't get ip6forwarding value");
+			return -1;
+		}
 	}
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
 	return ip6forwarding;
 }
 
@@ -139,16 +123,12 @@ int ipforward_ipv6_off(void)
 	int ip6forwarding = 0;
 
 	len = sizeof ip6forwarding;
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	if (sysctl(mib_ipv6, MIB_SIZ, NULL, NULL, &ip6forwarding, len) < 0) {
-		if (zserv_privs.change(ZPRIVS_LOWER))
-			flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
-		zlog_warn("can't get ip6forwarding value");
-		return -1;
+	frr_elevate_privs(&zserv_privs) {
+		if (sysctl(mib_ipv6, MIB_SIZ, NULL, NULL, &ip6forwarding, len) < 0) {
+			zlog_warn("can't get ip6forwarding value");
+			return -1;
+		}
 	}
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
 	return ip6forwarding;
 }
 
diff --git a/zebra/irdp_main.c b/zebra/irdp_main.c
index 630eee5929..771ae796e1 100644
--- a/zebra/irdp_main.c
+++ b/zebra/irdp_main.c
@@ -81,18 +81,12 @@ int irdp_sock_init(void)
 	int save_errno;
 	int sock;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES,
-			  "irdp_sock_init: could not raise privs, %s",
-			  safe_strerror(errno));
+	frr_elevate_privs(&zserv_privs) {
 
-	sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
-	save_errno = errno;
+		sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+		save_errno = errno;
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES,
-			  "irdp_sock_init: could not lower privs, %s",
-			  safe_strerror(errno));
+	}
 
 	if (sock < 0) {
 		zlog_warn("IRDP: can't create irdp socket %s",
diff --git a/zebra/kernel_netlink.c b/zebra/kernel_netlink.c
index 57a7f5273e..b397e95955 100644
--- a/zebra/kernel_netlink.c
+++ b/zebra/kernel_netlink.c
@@ -170,14 +170,11 @@ static int netlink_recvbuf(struct nlsock *nl, uint32_t newsize)
 	}
 
 	/* Try force option (linux >= 2.6.14) and fall back to normal set */
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES,
-			  "routing_socket: Can't raise privileges");
-	ret = setsockopt(nl->sock, SOL_SOCKET, SO_RCVBUFFORCE, &nl_rcvbufsize,
-			 sizeof(nl_rcvbufsize));
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES,
-			  "routing_socket: Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		ret = setsockopt(nl->sock, SOL_SOCKET, SO_RCVBUFFORCE,
+				 &nl_rcvbufsize,
+				 sizeof(nl_rcvbufsize));
+	}
 	if (ret < 0)
 		ret = setsockopt(nl->sock, SOL_SOCKET, SO_RCVBUF,
 				 &nl_rcvbufsize, sizeof(nl_rcvbufsize));
@@ -957,12 +954,10 @@ int netlink_talk(int (*filter)(struct nlmsghdr *, ns_id_t, int startup),
 			n->nlmsg_flags);
 
 	/* Send message to netlink interface. */
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	status = sendmsg(nl->sock, &msg, 0);
-	save_errno = errno;
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		status = sendmsg(nl->sock, &msg, 0);
+		save_errno = errno;
+	}
 
 	if (IS_ZEBRA_DEBUG_KERNEL_MSGDUMP_SEND) {
 		zlog_debug("%s: >> netlink message dump [sent]", __func__);
diff --git a/zebra/rt_socket.c b/zebra/rt_socket.c
index 8910aa8f60..c0ad87ce39 100644
--- a/zebra/rt_socket.c
+++ b/zebra/rt_socket.c
@@ -403,17 +403,15 @@ enum dp_req_result kernel_route_rib(struct route_node *rn,
 		return DP_REQUEST_FAILURE;
 	}
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
+	frr_elevate_privs(&zserv_privs) {
 
-	if (old)
-		route |= kernel_rtm(RTM_DELETE, p, old);
+		if (old)
+			route |= kernel_rtm(RTM_DELETE, p, old);
 
-	if (new)
-		route |= kernel_rtm(RTM_ADD, p, new);
+		if (new)
+			route |= kernel_rtm(RTM_ADD, p, new);
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	}
 
 	if (new) {
 		kernel_route_rib_pass_fail(
diff --git a/zebra/rtadv.c b/zebra/rtadv.c
index c8c66853ac..4f89b5e761 100644
--- a/zebra/rtadv.c
+++ b/zebra/rtadv.c
@@ -630,17 +630,11 @@ static int rtadv_make_socket(ns_id_t ns_id)
 	int ret = 0;
 	struct icmp6_filter filter;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES,
-			  "rtadv_make_socket: could not raise privs, %s",
-			  safe_strerror(errno));
+	frr_elevate_privs(&zserv_privs) {
 
-	sock = ns_socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6, ns_id);
+		sock = ns_socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6, ns_id);
 
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES,
-			  "rtadv_make_socket: could not lower privs, %s",
-			  safe_strerror(errno));
+	}
 
 	if (sock < 0) {
 		return -1;
diff --git a/zebra/zebra_mpls_openbsd.c b/zebra/zebra_mpls_openbsd.c
index 04c42f1ee7..542de27e83 100644
--- a/zebra/zebra_mpls_openbsd.c
+++ b/zebra/zebra_mpls_openbsd.c
@@ -117,11 +117,9 @@ static int kernel_send_rtmsg_v4(int action, mpls_label_t in_label,
 			hdr.rtm_mpls = MPLS_OP_SWAP;
 	}
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	ret = writev(kr_state.fd, iov, iovcnt);
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		ret = writev(kr_state.fd, iov, iovcnt);
+	}
 
 	if (ret == -1)
 		flog_err_sys(LIB_ERR_SOCKET, "%s: %s", __func__,
@@ -226,11 +224,9 @@ static int kernel_send_rtmsg_v6(int action, mpls_label_t in_label,
 			hdr.rtm_mpls = MPLS_OP_SWAP;
 	}
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	ret = writev(kr_state.fd, iov, iovcnt);
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		ret = writev(kr_state.fd, iov, iovcnt);
+	}
 
 	if (ret == -1)
 		flog_err_sys(LIB_ERR_SOCKET, "%s: %s", __func__,
diff --git a/zebra/zebra_netns_notify.c b/zebra/zebra_netns_notify.c
index 2b2da599a8..2b7bf04ec3 100644
--- a/zebra/zebra_netns_notify.c
+++ b/zebra/zebra_netns_notify.c
@@ -76,11 +76,9 @@ static void zebra_ns_notify_create_context_from_entry_name(const char *name)
 	if (netnspath == NULL)
 		return;
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	ns_id = zebra_ns_id_get(netnspath);
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		ns_id = zebra_ns_id_get(netnspath);
+	}
 	if (ns_id == NS_UNKNOWN)
 		return;
 	ns_id_external = ns_map_nsid_with_external(ns_id, true);
@@ -97,12 +95,10 @@ static void zebra_ns_notify_create_context_from_entry_name(const char *name)
 		ns_map_nsid_with_external(ns_id, false);
 		return;
 	}
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	ret = vrf_netns_handler_create(NULL, vrf, netnspath,
-				       ns_id_external, ns_id);
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		ret = vrf_netns_handler_create(NULL, vrf, netnspath,
+					       ns_id_external, ns_id);
+	}
 	if (ret != CMD_SUCCESS) {
 		zlog_warn("NS notify : failed to create NS %s", netnspath);
 		ns_map_nsid_with_external(ns_id, false);
@@ -169,20 +165,16 @@ static int zebra_ns_ready_read(struct thread *t)
 	netnspath = zns_info->netnspath;
 	if (--zns_info->retries == 0)
 		stop_retry = 1;
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	err = ns_switch_to_netns(netnspath);
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		err = ns_switch_to_netns(netnspath);
+	}
 	if (err < 0)
 		return zebra_ns_continue_read(zns_info, stop_retry);
 
 	/* go back to default ns */
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	err = ns_switchback_to_initial();
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		err = ns_switchback_to_initial();
+	}
 	if (err < 0)
 		return zebra_ns_continue_read(zns_info, stop_retry);
 
diff --git a/zebra/zebra_ns.c b/zebra/zebra_ns.c
index 7bf5ced934..456253cc30 100644
--- a/zebra/zebra_ns.c
+++ b/zebra/zebra_ns.c
@@ -315,11 +315,9 @@ int zebra_ns_init(void)
 
 	dzns = zebra_ns_alloc();
 
-	if (zserv_privs.change(ZPRIVS_RAISE))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-	ns_id = zebra_ns_id_get_default();
-	if (zserv_privs.change(ZPRIVS_LOWER))
-		flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+	frr_elevate_privs(&zserv_privs) {
+		ns_id = zebra_ns_id_get_default();
+	}
 	ns_id_external = ns_map_nsid_with_external(ns_id, true);
 	ns_init_management(ns_id_external, ns_id);
author	David Lamparter <equinox@opensourcerouting.org>	2018-08-10 18:36:43 +0200
committer	Quentin Young <qlyoung@cumulusnetworks.com>	2018-08-14 20:02:05 +0000
commit	01b9e3fd0d354d7d4c60b1c0240f269a4fd08990 (patch)
tree	7758a10d2c803e86348e04e908f73b63c0048b96 /zebra
parent	6017c3a2e71304381af5cfa5020b4a1358ee098b (diff)