Sync with c8-beta

2024-01-12 13:40:50 +00:00 · 2024-01-12 13:40:50 +00:00 · 742d4de4d8
parent 45da74035f
commit 742d4de4d8
7 changed files with 324 additions and 139 deletions
--- a/.frr.metadata
+++ b/.frr.metadata
@ -1,2 +1 @@
 dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz
-e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
 SOURCES/frr-7.5.1.tar.gz
-SOURCES/frr.if
--- a/SOURCES/0015-CVE-2023-38802.patch
+++ b/SOURCES/0015-CVE-2023-38802.patch
@ -1,128 +0,0 @@
-From bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 Mon Sep 17 00:00:00 2001
-From: Donatas Abraitis <donatas@opensourcerouting.org>
-Date: Thu, 13 Jul 2023 22:32:03 +0300
-Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation
- attribute
-
-Before this path we used session reset method, which is discouraged by rfc7606.
-
-Handle this as rfc requires.
-
-Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
- bgpd/bgp_attr.c | 61 ++++++++++++++++++++-----------------------------
- 1 file changed, 25 insertions(+), 36 deletions(-)
-
-diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c
-index dcf0f4d47cfb..8c53191d680f 100644
--- a/bgpd/bgp_attr.c
-+++ b/bgpd/bgp_attr.c
-@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode,
- 	case BGP_ATTR_LARGE_COMMUNITIES:
- 	case BGP_ATTR_ORIGINATOR_ID:
- 	case BGP_ATTR_CLUSTER_LIST:
-+	case BGP_ATTR_ENCAP:
- 		return BGP_ATTR_PARSE_WITHDRAW;
- 	case BGP_ATTR_MP_REACH_NLRI:
- 	case BGP_ATTR_MP_UNREACH_NLRI:
-@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args)
- }
- 
- /* Parse Tunnel Encap attribute in an UPDATE */
-static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
-			  bgp_size_t length, /* IN: attr's length field */
-			  struct attr *attr, /* IN: caller already allocated */
-			  uint8_t flag,      /* IN: attr's flags field */
-			  uint8_t *startp)
-+static int bgp_attr_encap(struct bgp_attr_parser_args *args)
- {
-	bgp_size_t total;
- 	uint16_t tunneltype = 0;
-
-	total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3);
-+	struct peer *const peer = args->peer;
-+	struct attr *const attr = args->attr;
-+	bgp_size_t length = args->length;
-+	uint8_t type = args->type;
-+	uint8_t flag = args->flags;
- 
- 	if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS)
- 	    || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) {
-		zlog_info(
-			"Tunnel Encap attribute flag isn't optional and transitive %d",
-			flag);
-		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
-					  BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR,
-					  startp, total);
-		return -1;
-+		zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d",
-+			 flag);
-+		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
-+					  args->total);
- 	}
- 
- 	if (BGP_ATTR_ENCAP == type) {
-@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
- 		uint16_t tlv_length;
- 
- 		if (length < 4) {
-			zlog_info(
-+			zlog_err(
- 				"Tunnel Encap attribute not long enough to contain outer T,L");
-			bgp_notify_send_with_data(
-				peer, BGP_NOTIFY_UPDATE_ERR,
-				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
-			return -1;
-+			return bgp_attr_malformed(args,
-+						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
-+						  args->total);
- 		}
- 		tunneltype = stream_getw(BGP_INPUT(peer));
- 		tlv_length = stream_getw(BGP_INPUT(peer));
-@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
- 		}
- 
- 		if (sublength > length) {
-			zlog_info(
-				"Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
-				sublength, length);
-			bgp_notify_send_with_data(
-				peer, BGP_NOTIFY_UPDATE_ERR,
-				BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total);
-			return -1;
-+			zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d",
-+				 sublength, length);
-+			return bgp_attr_malformed(args,
-+						  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
-+						  args->total);
- 		}
- 
- 		/* alloc and copy sub-tlv */
-@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */
- 
- 	if (length) {
- 		/* spurious leftover data */
-		zlog_info(
-			"Tunnel Encap attribute length is bad: %d leftover octets",
-			length);
-		bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR,
-					  BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
-					  startp, total);
-		return -1;
-+		zlog_err("Tunnel Encap attribute length is bad: %d leftover octets",
-+			 length);
-+		return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR,
-+					  args->total);
- 	}
- 
- 	return 0;
-@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr,
- 		case BGP_ATTR_VNC:
- #endif
- 		case BGP_ATTR_ENCAP:
-			ret = bgp_attr_encap(type, peer, length, attr, flag,
-					     startp);
-+			ret = bgp_attr_encap(&attr_args);
- 			break;
- 		case BGP_ATTR_PREFIX_SID:
- 			ret = bgp_attr_prefix_sid(&attr_args);
--- a/SOURCES/0015-max-ttl-reload.patch
+++ b/SOURCES/0015-max-ttl-reload.patch
@ -0,0 +1,93 @@
+From 767aaa3a80489bfc4ff097f932fc347e3db25b89 Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Mon, 21 Aug 2023 00:01:42 +0300
+Subject: [PATCH] bgpd: Do not explicitly print MAXTTL value for ebgp-multihop
+ vty output
+
+1. Create /etc/frr/frr.conf
+```
+frr version 7.5
+frr defaults traditional
+hostname centos8.localdomain
+no ip forwarding
+no ipv6 forwarding
+service integrated-vtysh-config
+line vty
+router bgp 4250001000
+  neighbor 192.168.122.207 remote-as 65512
+  neighbor 192.168.122.207 ebgp-multihop
+```
+
+2. Start FRR
+`# systemctl start frr
+`
+3. Show running configuration. Note that FRR explicitly set and shows the default TTL (225)
+
+```
+Building configuration...
+
+Current configuration:
+!
+frr version 7.5
+frr defaults traditional
+hostname centos8.localdomain
+no ip forwarding
+no ipv6 forwarding
+service integrated-vtysh-config
+!
+router bgp 4250001000
+ neighbor 192.168.122.207 remote-as 65512
+ neighbor 192.168.122.207 ebgp-multihop 255
+!
+line vty
+!
+end
+```
+4. Copy initial frr.conf to frr.conf.new (no changes)
+`# cp /etc/frr/frr.conf /root/frr.conf.new
+`
+5. Run frr-reload.sh:
+
+```
+$ /usr/lib/frr/frr-reload.py --test  /root/frr.conf.new
+2023-08-20 20:15:48,050  INFO: Called via "Namespace(bindir='/usr/bin', confdir='/etc/frr', daemon='', debug=False, filename='/root/frr.conf.new', input=None, log_level='info', overwrite=False, pathspace=None, reload=False, rundir='/var/run/frr', stdout=False, test=True, vty_socket=None)"
+2023-08-20 20:15:48,050  INFO: Loading Config object from file /root/frr.conf.new
+2023-08-20 20:15:48,124  INFO: Loading Config object from vtysh show running
+
+Lines To Delete
+===============
+router bgp 4250001000
+ no neighbor 192.168.122.207 ebgp-multihop 255
+
+Lines To Add
+============
+router bgp 4250001000
+ neighbor 192.168.122.207 ebgp-multihop
+```
+
+Closes https://github.com/FRRouting/frr/issues/14242
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgp_vty.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c
+index be0fe4283747..c9a9255f3392 100644
+--- a/bgpd/bgp_vty.c
+++ b/bgpd/bgp_vty.c
+@@ -17735,8 +17735,12 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp,
+ 	    && !(peer->gtsm_hops != BGP_GTSM_HOPS_DISABLED
+ 		 && peer->ttl == MAXTTL)) {
+ 		if (!peer_group_active(peer) || g_peer->ttl != peer->ttl) {
+-			vty_out(vty, " neighbor %s ebgp-multihop %d\n", addr,
+-				peer->ttl);
+			if (peer->ttl != MAXTTL)
+				vty_out(vty, " neighbor %s ebgp-multihop %d\n",
+					addr, peer->ttl);
+			else
+				vty_out(vty, " neighbor %s ebgp-multihop\n",
+					addr);
+ 		}
+ 	}
+ 
--- a/SOURCES/frr.if
+++ b/SOURCES/frr.if
@ -0,0 +1,206 @@
+## <summary>policy for frr</summary>
+
+########################################
+## <summary>
+##	Execute frr_exec_t in the frr domain.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`frr_domtrans',`
+	gen_require(`
+		type frr_t, frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, frr_exec_t, frr_t)
+')
+
+######################################
+## <summary>
+##	Execute frr in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_exec',`
+	gen_require(`
+		type frr_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, frr_exec_t)
+')
+
+########################################
+## <summary>
+##	Read frr's log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`frr_read_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	read_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Append to frr log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_append_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	append_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Manage frr log files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_manage_log',`
+	gen_require(`
+		type frr_log_t;
+	')
+
+	manage_dirs_pattern($1, frr_log_t, frr_log_t)
+	manage_files_pattern($1, frr_log_t, frr_log_t)
+	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+')
+
+########################################
+## <summary>
+##	Read frr PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_read_pid_files',`
+	gen_require(`
+		type frr_var_run_t;
+	')
+
+	files_search_pids($1)
+	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
+')
+
+########################################
+## <summary>
+##	All of the rules required to administrate
+##	an frr environment
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`frr_admin',`
+	gen_require(`
+		type frr_t;
+		type frr_log_t;
+		type frr_var_run_t;
+	')
+
+	allow $1 frr_t:process { signal_perms };
+	ps_process_pattern($1, frr_t)
+
+	tunable_policy(`deny_ptrace',`',`
+		allow $1 frr_t:process ptrace;
+	')
+
+	admin_pattern($1, frr_log_t)
+
+	files_search_pids($1)
+	admin_pattern($1, frr_var_run_t)
+	optional_policy(`
+		logging_search_logs($1)
+	')
+	optional_policy(`
+		systemd_passwd_agent_exec($1)
+		systemd_read_fifo_file_passwd_run($1)
+	')
+')
+
+########################################
+## <summary>
+##  Read ifconfig_var_run_t files and link files
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+ifndef(`sysnet_read_ifconfig_run',`
+  interface(`sysnet_read_ifconfig_run',`
+    gen_require(`
+      type ifconfig_var_run_t;
+    ')
+
+    manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+    list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+    read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+    read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
+  ')
+')
+
+########################################
+## <summary>
+##  Read unconfined_t files and dirs
+## </summary>
+## <param name="domain">
+##  <summary>
+##      Domain allowed access.
+##  </summary>
+## </param>
+#
+ifndef(`unconfined_read_files',`
+  interface(`unconfined_read_files',`
+    gen_require(`
+      type unconfined_t;
+    ')
+
+    allow $1 unconfined_t:file read_file_perms;
+    allow $1 unconfined_t:dir list_dir_perms;
+  ')
+')
--- a/SOURCES/frr.te
+++ b/SOURCES/frr.te
@ -31,7 +31,7 @@ files_pid_file(frr_var_run_t)
 #
 # frr local policy
 #
-allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
+allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
 allow frr_t self:packet_socket create;
 allow frr_t self:process { setcap setpgid };
@ -96,6 +96,7 @@ fs_read_nsfs_files(frr_t)
 fs_search_cgroup_dirs(frr_t)

 sysnet_exec_ifconfig(frr_t)
+sysnet_read_ifconfig_run(frr_t)

 userdom_read_admin_home_files(frr_t)

@ -107,6 +108,10 @@ optional_policy(`
 	logging_send_syslog_msg(frr_t)
 ')

+optional_policy(`
+  unconfined_read_files(frr_t)
+')
+
 optional_policy(`
 	modutils_exec_kmod(frr_t)
 	modutils_getattr_module_deps(frr_t)
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@ -7,7 +7,7 @@

 Name: frr
 Version: 7.5.1
-Release: 7%{?checkout}%{?dist}.2.alma.1
+Release: 13%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@ -53,11 +53,8 @@ Patch0010: 0010-moving-executables.patch
 Patch0011: 0011-reload-bfd-profile.patch
 Patch0012: 0012-graceful-restart.patch
 Patch0013: 0013-CVE-2022-37032.patch
-# Patches were taken from upstream and modified to apply cleanly: 
-# https://git.almalinux.org/rpms/frr/raw/commit/7599d0ae96d0c1d1f42ae62e1f885ee58ed5b0cd/SOURCES/0010-CVE-2023-38802.patch
 Patch0014: 0014-bfd-profile-crash.patch
-# https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/7e4d5613074b57d55f0ab900c85e20afccf1fbd4/0014-bfd-profile-crash.patch
-Patch0015: 0015-CVE-2023-38802.patch
+Patch0015: 0015-max-ttl-reload.patch

 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -278,9 +275,23 @@ make check PYTHON=%{__python3}
 %endif

 %changelog
-* Wed Sep 20 2023 Eduard Abdullin <eabdullin@almalinux.org> - 7.5.1-7.2.alma.1
- Fix CVE-2023-38802
- bfdd: remove profiles when removing bfd node
+* Tue Oct 10 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-13
+- Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration
+
+* Wed Aug 23 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-12
+- Resolves: #2216911 - Adding missing sys_admin SELinux call
+
+* Mon Aug 21 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-11
+- Related: #2216911 - Adding unconfined_t type to access namespaces
+
+* Thu Aug 17 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-10
+- Related: #2226803 - Adding patch
+
+* Wed Aug 16 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-9
+- Resolves: #2226803 - BFD crash in FRR running in MetalLB
+
+* Fri Aug 11 2023 Michal Ruprich <mruprich@redhat.com> - 7.5.1-8
+- Resolves: #2216911 - SELinux is preventing FRR-Zebra to access to network namespaces

 * Wed Nov 30 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
 - Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service