diff options
author | Chris Luke <chrisy@flirble.org> | 2011-10-18 17:26:51 +0400 |
---|---|---|
committer | Denis Ovsienko <infrastation@yandex.ru> | 2011-11-15 20:57:02 +0400 |
commit | 5c88f19d5b166c6afa8a9b8501badb785afa553b (patch) | |
tree | 98261a13d284bb6b3fe0028a3d17e50c763fc324 | |
parent | 4de148e5d6f6f7885b2c0952a236a3bc3ec36250 (diff) |
bgpd: justify capabilities for TOS setting
To set the TOS bits on TCP connections, platforms that restrict
capabilities need the priv level to be raised before the sockopt
is set, and this requires the ZCAP_NET_ADMIN priv.
* bgp_main.c: update _caps_p to include ZCAP_NET_ADMIN
* bgp_network.c
* bgp_connect(): request ZPRIVS_RAISE/ZPRIVS_LOWER
* bgp_listener(): request ZPRIVS_RAISE earlier
-rw-r--r-- | bgpd/bgp_main.c | 1 | ||||
-rw-r--r-- | bgpd/bgp_network.c | 14 |
2 files changed, 10 insertions, 5 deletions
diff --git a/bgpd/bgp_main.c b/bgpd/bgp_main.c index 1a460c6b..0e85d57e 100644 --- a/bgpd/bgp_main.c +++ b/bgpd/bgp_main.c @@ -119,6 +119,7 @@ static zebra_capabilities_t _caps_p [] = { ZCAP_BIND, ZCAP_NET_RAW, + ZCAP_NET_ADMIN, }; struct zebra_privs_t bgpd_privs = diff --git a/bgpd/bgp_network.c b/bgpd/bgp_network.c index c8ff87a6..52c72b67 100644 --- a/bgpd/bgp_network.c +++ b/bgpd/bgp_network.c @@ -328,12 +328,16 @@ bgp_connect (struct peer *peer) sockopt_reuseport (peer->fd); #ifdef IPTOS_PREC_INTERNETCONTROL + if (bgpd_privs.change (ZPRIVS_RAISE)) + zlog_err ("%s: could not raise privs", __func__); if (sockunion_family (&peer->su) == AF_INET) setsockopt_ipv4_tos (peer->fd, IPTOS_PREC_INTERNETCONTROL); # ifdef HAVE_IPV6 else if (sockunion_family (&peer->su) == AF_INET6) setsockopt_ipv6_tclass (peer->fd, IPTOS_PREC_INTERNETCONTROL); # endif + if (bgpd_privs.change (ZPRIVS_LOWER)) + zlog_err ("%s: could not lower privs", __func__); #endif if (peer->password) @@ -390,6 +394,9 @@ bgp_listener (int sock, struct sockaddr *sa, socklen_t salen) sockopt_reuseaddr (sock); sockopt_reuseport (sock); + if (bgpd_privs.change (ZPRIVS_RAISE)) + zlog_err ("%s: could not raise privs", __func__); + #ifdef IPTOS_PREC_INTERNETCONTROL if (sa->sa_family == AF_INET) setsockopt_ipv4_tos (sock, IPTOS_PREC_INTERNETCONTROL); @@ -408,13 +415,10 @@ bgp_listener (int sock, struct sockaddr *sa, socklen_t salen) } #endif - if (bgpd_privs.change (ZPRIVS_RAISE) ) - zlog_err ("bgp_socket: could not raise privs"); - ret = bind (sock, sa, salen); en = errno; - if (bgpd_privs.change (ZPRIVS_LOWER) ) - zlog_err ("bgp_bind_address: could not lower privs"); + if (bgpd_privs.change (ZPRIVS_LOWER)) + zlog_err ("%s: could not lower privs", __func__); if (ret < 0) { |