diff --git a/.frr.metadata b/.frr.metadata index 86591ca..fe0c737 100644 --- a/.frr.metadata +++ b/.frr.metadata @@ -1,2 +1 @@ dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz -e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if diff --git a/.gitignore b/.gitignore index 6f9e306..c0a706d 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1 @@ SOURCES/frr-7.5.1.tar.gz -SOURCES/frr.if diff --git a/SOURCES/0015-CVE-2023-38802.patch b/SOURCES/0015-CVE-2023-38802.patch deleted file mode 100644 index e745b5f..0000000 --- a/SOURCES/0015-CVE-2023-38802.patch +++ /dev/null @@ -1,128 +0,0 @@ -From bcb6b58d9530173df41d3a3cbc4c600ee0b4b186 Mon Sep 17 00:00:00 2001 -From: Donatas Abraitis -Date: Thu, 13 Jul 2023 22:32:03 +0300 -Subject: [PATCH] bgpd: Use treat-as-withdraw for tunnel encapsulation - attribute - -Before this path we used session reset method, which is discouraged by rfc7606. - -Handle this as rfc requires. - -Signed-off-by: Donatas Abraitis ---- - bgpd/bgp_attr.c | 61 ++++++++++++++++++++----------------------------- - 1 file changed, 25 insertions(+), 36 deletions(-) - -diff --git a/bgpd/bgp_attr.c b/bgpd/bgp_attr.c -index dcf0f4d47cfb..8c53191d680f 100644 ---- a/bgpd/bgp_attr.c -+++ b/bgpd/bgp_attr.c -@@ -1301,6 +1301,7 @@ bgp_attr_malformed(struct bgp_attr_parser_args *args, uint8_t subcode, - case BGP_ATTR_LARGE_COMMUNITIES: - case BGP_ATTR_ORIGINATOR_ID: - case BGP_ATTR_CLUSTER_LIST: -+ case BGP_ATTR_ENCAP: - return BGP_ATTR_PARSE_WITHDRAW; - case BGP_ATTR_MP_REACH_NLRI: - case BGP_ATTR_MP_UNREACH_NLRI: -@@ -2434,26 +2435,21 @@ bgp_attr_ipv6_ext_communities(struct bgp_attr_parser_args *args) - } - - /* Parse Tunnel Encap attribute in an UPDATE */ --static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ -- bgp_size_t length, /* IN: attr's length field */ -- struct attr *attr, /* IN: caller already allocated */ -- uint8_t flag, /* IN: attr's flags field */ -- uint8_t *startp) -+static int bgp_attr_encap(struct bgp_attr_parser_args *args) - { -- bgp_size_t total; - uint16_t tunneltype = 0; -- -- total = length + (CHECK_FLAG(flag, BGP_ATTR_FLAG_EXTLEN) ? 4 : 3); -+ struct peer *const peer = args->peer; -+ struct attr *const attr = args->attr; -+ bgp_size_t length = args->length; -+ uint8_t type = args->type; -+ uint8_t flag = args->flags; - - if (!CHECK_FLAG(flag, BGP_ATTR_FLAG_TRANS) - || !CHECK_FLAG(flag, BGP_ATTR_FLAG_OPTIONAL)) { -- zlog_info( -- "Tunnel Encap attribute flag isn't optional and transitive %d", -- flag); -- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_ATTR_FLAG_ERR, -- startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute flag isn't optional and transitive %d", -+ flag); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - if (BGP_ATTR_ENCAP == type) { -@@ -2461,12 +2457,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - uint16_t tlv_length; - - if (length < 4) { -- zlog_info( -+ zlog_err( - "Tunnel Encap attribute not long enough to contain outer T,L"); -- bgp_notify_send_with_data( -- peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); -- return -1; -+ return bgp_attr_malformed(args, -+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - tunneltype = stream_getw(BGP_INPUT(peer)); - tlv_length = stream_getw(BGP_INPUT(peer)); -@@ -2496,13 +2491,11 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - } - - if (sublength > length) { -- zlog_info( -- "Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", -- sublength, length); -- bgp_notify_send_with_data( -- peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute sub-tlv length %d exceeds remaining length %d", -+ sublength, length); -+ return bgp_attr_malformed(args, -+ BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - /* alloc and copy sub-tlv */ -@@ -2550,13 +2543,10 @@ static int bgp_attr_encap(uint8_t type, struct peer *peer, /* IN */ - - if (length) { - /* spurious leftover data */ -- zlog_info( -- "Tunnel Encap attribute length is bad: %d leftover octets", -- length); -- bgp_notify_send_with_data(peer, BGP_NOTIFY_UPDATE_ERR, -- BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -- startp, total); -- return -1; -+ zlog_err("Tunnel Encap attribute length is bad: %d leftover octets", -+ length); -+ return bgp_attr_malformed(args, BGP_NOTIFY_UPDATE_OPT_ATTR_ERR, -+ args->total); - } - - return 0; -@@ -3396,8 +3386,7 @@ enum bgp_attr_parse_ret bgp_attr_parse(struct peer *peer, struct attr *attr, - case BGP_ATTR_VNC: - #endif - case BGP_ATTR_ENCAP: -- ret = bgp_attr_encap(type, peer, length, attr, flag, -- startp); -+ ret = bgp_attr_encap(&attr_args); - break; - case BGP_ATTR_PREFIX_SID: - ret = bgp_attr_prefix_sid(&attr_args); diff --git a/SOURCES/0015-max-ttl-reload.patch b/SOURCES/0015-max-ttl-reload.patch new file mode 100644 index 0000000..e68a221 --- /dev/null +++ b/SOURCES/0015-max-ttl-reload.patch @@ -0,0 +1,93 @@ +From 767aaa3a80489bfc4ff097f932fc347e3db25b89 Mon Sep 17 00:00:00 2001 +From: Donatas Abraitis +Date: Mon, 21 Aug 2023 00:01:42 +0300 +Subject: [PATCH] bgpd: Do not explicitly print MAXTTL value for ebgp-multihop + vty output + +1. Create /etc/frr/frr.conf +``` +frr version 7.5 +frr defaults traditional +hostname centos8.localdomain +no ip forwarding +no ipv6 forwarding +service integrated-vtysh-config +line vty +router bgp 4250001000 + neighbor 192.168.122.207 remote-as 65512 + neighbor 192.168.122.207 ebgp-multihop +``` + +2. Start FRR +`# systemctl start frr +` +3. Show running configuration. Note that FRR explicitly set and shows the default TTL (225) + +``` +Building configuration... + +Current configuration: +! +frr version 7.5 +frr defaults traditional +hostname centos8.localdomain +no ip forwarding +no ipv6 forwarding +service integrated-vtysh-config +! +router bgp 4250001000 + neighbor 192.168.122.207 remote-as 65512 + neighbor 192.168.122.207 ebgp-multihop 255 +! +line vty +! +end +``` +4. Copy initial frr.conf to frr.conf.new (no changes) +`# cp /etc/frr/frr.conf /root/frr.conf.new +` +5. Run frr-reload.sh: + +``` +$ /usr/lib/frr/frr-reload.py --test /root/frr.conf.new +2023-08-20 20:15:48,050 INFO: Called via "Namespace(bindir='/usr/bin', confdir='/etc/frr', daemon='', debug=False, filename='/root/frr.conf.new', input=None, log_level='info', overwrite=False, pathspace=None, reload=False, rundir='/var/run/frr', stdout=False, test=True, vty_socket=None)" +2023-08-20 20:15:48,050 INFO: Loading Config object from file /root/frr.conf.new +2023-08-20 20:15:48,124 INFO: Loading Config object from vtysh show running + +Lines To Delete +=============== +router bgp 4250001000 + no neighbor 192.168.122.207 ebgp-multihop 255 + +Lines To Add +============ +router bgp 4250001000 + neighbor 192.168.122.207 ebgp-multihop +``` + +Closes https://github.com/FRRouting/frr/issues/14242 + +Signed-off-by: Donatas Abraitis +--- + bgpd/bgp_vty.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/bgpd/bgp_vty.c b/bgpd/bgp_vty.c +index be0fe4283747..c9a9255f3392 100644 +--- a/bgpd/bgp_vty.c ++++ b/bgpd/bgp_vty.c +@@ -17735,8 +17735,12 @@ static void bgp_config_write_peer_global(struct vty *vty, struct bgp *bgp, + && !(peer->gtsm_hops != BGP_GTSM_HOPS_DISABLED + && peer->ttl == MAXTTL)) { + if (!peer_group_active(peer) || g_peer->ttl != peer->ttl) { +- vty_out(vty, " neighbor %s ebgp-multihop %d\n", addr, +- peer->ttl); ++ if (peer->ttl != MAXTTL) ++ vty_out(vty, " neighbor %s ebgp-multihop %d\n", ++ addr, peer->ttl); ++ else ++ vty_out(vty, " neighbor %s ebgp-multihop\n", ++ addr); + } + } + diff --git a/SOURCES/frr.if b/SOURCES/frr.if new file mode 100644 index 0000000..b580159 --- /dev/null +++ b/SOURCES/frr.if @@ -0,0 +1,206 @@ +## policy for frr + +######################################## +## +## Execute frr_exec_t in the frr domain. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`frr_domtrans',` + gen_require(` + type frr_t, frr_exec_t; + ') + + corecmd_search_bin($1) + domtrans_pattern($1, frr_exec_t, frr_t) +') + +###################################### +## +## Execute frr in the caller domain. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_exec',` + gen_require(` + type frr_exec_t; + ') + + corecmd_search_bin($1) + can_exec($1, frr_exec_t) +') + +######################################## +## +## Read frr's log files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`frr_read_log',` + gen_require(` + type frr_log_t; + ') + + read_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Append to frr log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_append_log',` + gen_require(` + type frr_log_t; + ') + + append_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Manage frr log files +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_manage_log',` + gen_require(` + type frr_log_t; + ') + + manage_dirs_pattern($1, frr_log_t, frr_log_t) + manage_files_pattern($1, frr_log_t, frr_log_t) + manage_lnk_files_pattern($1, frr_log_t, frr_log_t) + optional_policy(` + logging_search_logs($1) + ') +') + +######################################## +## +## Read frr PID files. +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_read_pid_files',` + gen_require(` + type frr_var_run_t; + ') + + files_search_pids($1) + read_files_pattern($1, frr_var_run_t, frr_var_run_t) +') + +######################################## +## +## All of the rules required to administrate +## an frr environment +## +## +## +## Domain allowed access. +## +## +# +interface(`frr_admin',` + gen_require(` + type frr_t; + type frr_log_t; + type frr_var_run_t; + ') + + allow $1 frr_t:process { signal_perms }; + ps_process_pattern($1, frr_t) + + tunable_policy(`deny_ptrace',`',` + allow $1 frr_t:process ptrace; + ') + + admin_pattern($1, frr_log_t) + + files_search_pids($1) + admin_pattern($1, frr_var_run_t) + optional_policy(` + logging_search_logs($1) + ') + optional_policy(` + systemd_passwd_agent_exec($1) + systemd_read_fifo_file_passwd_run($1) + ') +') + +######################################## +## +## Read ifconfig_var_run_t files and link files +## +## +## +## Domain allowed access. +## +## +# +ifndef(`sysnet_read_ifconfig_run',` + interface(`sysnet_read_ifconfig_run',` + gen_require(` + type ifconfig_var_run_t; + ') + + manage_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t) + ') +') + +######################################## +## +## Read unconfined_t files and dirs +## +## +## +## Domain allowed access. +## +## +# +ifndef(`unconfined_read_files',` + interface(`unconfined_read_files',` + gen_require(` + type unconfined_t; + ') + + allow $1 unconfined_t:file read_file_perms; + allow $1 unconfined_t:dir list_dir_perms; + ') +') diff --git a/SOURCES/frr.te b/SOURCES/frr.te index e41b75d..a1c8bee 100644 --- a/SOURCES/frr.te +++ b/SOURCES/frr.te @@ -31,7 +31,7 @@ files_pid_file(frr_var_run_t) # # frr local policy # -allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin }; +allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin }; allow frr_t self:netlink_route_socket rw_netlink_socket_perms; allow frr_t self:packet_socket create; allow frr_t self:process { setcap setpgid }; @@ -96,6 +96,7 @@ fs_read_nsfs_files(frr_t) fs_search_cgroup_dirs(frr_t) sysnet_exec_ifconfig(frr_t) +sysnet_read_ifconfig_run(frr_t) userdom_read_admin_home_files(frr_t) @@ -107,6 +108,10 @@ optional_policy(` logging_send_syslog_msg(frr_t) ') +optional_policy(` + unconfined_read_files(frr_t) +') + optional_policy(` modutils_exec_kmod(frr_t) modutils_getattr_module_deps(frr_t) diff --git a/SPECS/frr.spec b/SPECS/frr.spec index e457d38..1d065cb 100644 --- a/SPECS/frr.spec +++ b/SPECS/frr.spec @@ -7,7 +7,7 @@ Name: frr Version: 7.5.1 -Release: 7%{?checkout}%{?dist}.2.alma.1 +Release: 13%{?checkout}%{?dist} Summary: Routing daemon License: GPLv2+ URL: http://www.frrouting.org @@ -53,11 +53,8 @@ Patch0010: 0010-moving-executables.patch Patch0011: 0011-reload-bfd-profile.patch Patch0012: 0012-graceful-restart.patch Patch0013: 0013-CVE-2022-37032.patch -# Patches were taken from upstream and modified to apply cleanly: -# https://git.almalinux.org/rpms/frr/raw/commit/7599d0ae96d0c1d1f42ae62e1f885ee58ed5b0cd/SOURCES/0010-CVE-2023-38802.patch Patch0014: 0014-bfd-profile-crash.patch -# https://gitlab.com/redhat/centos-stream/rpms/frr/-/blob/7e4d5613074b57d55f0ab900c85e20afccf1fbd4/0014-bfd-profile-crash.patch -Patch0015: 0015-CVE-2023-38802.patch +Patch0015: 0015-max-ttl-reload.patch %description FRRouting is free software that manages TCP/IP based routing protocols. It takes @@ -278,9 +275,23 @@ make check PYTHON=%{__python3} %endif %changelog -* Wed Sep 20 2023 Eduard Abdullin - 7.5.1-7.2.alma.1 -- Fix CVE-2023-38802 -- bfdd: remove profiles when removing bfd node +* Tue Oct 10 2023 Michal Ruprich - 7.5.1-13 +- Resolves: RHEL-2263 - eBGP multihop peer flapping due to delta miscalculation of new configuration + +* Wed Aug 23 2023 Michal Ruprich - 7.5.1-12 +- Resolves: #2216911 - Adding missing sys_admin SELinux call + +* Mon Aug 21 2023 Michal Ruprich - 7.5.1-11 +- Related: #2216911 - Adding unconfined_t type to access namespaces + +* Thu Aug 17 2023 Michal Ruprich - 7.5.1-10 +- Related: #2226803 - Adding patch + +* Wed Aug 16 2023 Michal Ruprich - 7.5.1-9 +- Resolves: #2226803 - BFD crash in FRR running in MetalLB + +* Fri Aug 11 2023 Michal Ruprich - 7.5.1-8 +- Resolves: #2216911 - SELinux is preventing FRR-Zebra to access to network namespaces * Wed Nov 30 2022 Michal Ruprich - 7.5.1-7 - Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service