summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris Luke <chrisy@flirble.org>2011-10-18 17:26:51 +0400
committerDenis Ovsienko <infrastation@yandex.ru>2011-11-15 20:57:02 +0400
commit5c88f19d5b166c6afa8a9b8501badb785afa553b (patch)
tree98261a13d284bb6b3fe0028a3d17e50c763fc324
parent4de148e5d6f6f7885b2c0952a236a3bc3ec36250 (diff)
bgpd: justify capabilities for TOS setting
To set the TOS bits on TCP connections, platforms that restrict capabilities need the priv level to be raised before the sockopt is set, and this requires the ZCAP_NET_ADMIN priv. * bgp_main.c: update _caps_p to include ZCAP_NET_ADMIN * bgp_network.c * bgp_connect(): request ZPRIVS_RAISE/ZPRIVS_LOWER * bgp_listener(): request ZPRIVS_RAISE earlier
-rw-r--r--bgpd/bgp_main.c1
-rw-r--r--bgpd/bgp_network.c14
2 files changed, 10 insertions, 5 deletions
diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c
index 1a460c6b..0e85d57e 100644
--- a/bgpd/bgp_main.c
+++ b/bgpd/bgp_main.c
@@ -119,6 +119,7 @@ static zebra_capabilities_t _caps_p [] =
{
ZCAP_BIND,
ZCAP_NET_RAW,
+ ZCAP_NET_ADMIN,
};
struct zebra_privs_t bgpd_privs =
diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c
index c8ff87a6..52c72b67 100644
--- a/bgpd/bgp_network.c
+++ b/bgpd/bgp_network.c
@@ -328,12 +328,16 @@ bgp_connect (struct peer *peer)
sockopt_reuseport (peer->fd);
#ifdef IPTOS_PREC_INTERNETCONTROL
+ if (bgpd_privs.change (ZPRIVS_RAISE))
+ zlog_err ("%s: could not raise privs", __func__);
if (sockunion_family (&peer->su) == AF_INET)
setsockopt_ipv4_tos (peer->fd, IPTOS_PREC_INTERNETCONTROL);
# ifdef HAVE_IPV6
else if (sockunion_family (&peer->su) == AF_INET6)
setsockopt_ipv6_tclass (peer->fd, IPTOS_PREC_INTERNETCONTROL);
# endif
+ if (bgpd_privs.change (ZPRIVS_LOWER))
+ zlog_err ("%s: could not lower privs", __func__);
#endif
if (peer->password)
@@ -390,6 +394,9 @@ bgp_listener (int sock, struct sockaddr *sa, socklen_t salen)
sockopt_reuseaddr (sock);
sockopt_reuseport (sock);
+ if (bgpd_privs.change (ZPRIVS_RAISE))
+ zlog_err ("%s: could not raise privs", __func__);
+
#ifdef IPTOS_PREC_INTERNETCONTROL
if (sa->sa_family == AF_INET)
setsockopt_ipv4_tos (sock, IPTOS_PREC_INTERNETCONTROL);
@@ -408,13 +415,10 @@ bgp_listener (int sock, struct sockaddr *sa, socklen_t salen)
}
#endif
- if (bgpd_privs.change (ZPRIVS_RAISE) )
- zlog_err ("bgp_socket: could not raise privs");
-
ret = bind (sock, sa, salen);
en = errno;
- if (bgpd_privs.change (ZPRIVS_LOWER) )
- zlog_err ("bgp_bind_address: could not lower privs");
+ if (bgpd_privs.change (ZPRIVS_LOWER))
+ zlog_err ("%s: could not lower privs", __func__);
if (ret < 0)
{