import frr-7.5.1-7.el8

This commit is contained in:
CentOS Sources 2023-03-28 10:20:44 +00:00 committed by Stepan Oksanichenko
parent 387acfb08a
commit d2f38a8594
8 changed files with 139 additions and 169 deletions

View File

@ -1 +1,2 @@
dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz
e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if

1
.gitignore vendored
View File

@ -1 +1,2 @@
SOURCES/frr-7.5.1.tar.gz
SOURCES/frr.if

View File

@ -0,0 +1,79 @@
From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001
From: Donatas Abraitis <donatas@opensourcerouting.org>
Date: Tue, 27 Sep 2022 17:30:16 +0300
Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting
We might disable sending unconfig/shutdown notifications when
Graceful-Restart is enabled and negotiated.
Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
---
bgpd/bgpd.c | 35 ++++++++++++++++++++++++++---------
1 file changed, 26 insertions(+), 9 deletions(-)
diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
index 3d4ef7c..f8089c6 100644
--- a/bgpd/bgpd.c
+++ b/bgpd/bgpd.c
@@ -2564,11 +2564,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as,
void peer_notify_unconfig(struct peer *peer)
{
+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
+ if (bgp_debug_neighbor_events(peer))
+ zlog_debug(
+ "%pBP configured Graceful-Restart, skipping unconfig notification",
+ peer);
+ return;
+ }
+
if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
bgp_notify_send(peer, BGP_NOTIFY_CEASE,
BGP_NOTIFY_CEASE_PEER_UNCONFIG);
}
+static void peer_notify_shutdown(struct peer *peer)
+{
+ if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
+ if (bgp_debug_neighbor_events(peer))
+ zlog_debug(
+ "%pBP configured Graceful-Restart, skipping shutdown notification",
+ peer);
+ return;
+ }
+
+ if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
+ bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+ BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
+}
+
void peer_group_notify_unconfig(struct peer_group *group)
{
struct peer *peer, *other;
@@ -3380,11 +3403,8 @@ int bgp_delete(struct bgp *bgp)
}
/* Inform peers we're going down. */
- for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) {
- if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
- bgp_notify_send(peer, BGP_NOTIFY_CEASE,
- BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
- }
+ for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer))
+ peer_notify_shutdown(peer);
/* Delete static routes (networks). */
bgp_static_delete(bgp);
@@ -7238,11 +7258,7 @@ void bgp_terminate(void)
for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp))
for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer))
- if (peer->status == Established
- || peer->status == OpenSent
- || peer->status == OpenConfirm)
- bgp_notify_send(peer, BGP_NOTIFY_CEASE,
- BGP_NOTIFY_CEASE_PEER_UNCONFIG);
+ peer_notify_unconfig(peer);
if (bm->process_main_queue)
work_queue_free_and_null(&bm->process_main_queue);

View File

@ -0,0 +1,32 @@
From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
From: Donald Sharp <sharpd@nvidia.com>
Date: Thu, 21 Jul 2022 08:11:58 -0400
Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
expected
Ensure that if the capability length specified is enough data.
Signed-off-by: Donald Sharp <sharpd@nvidia.com>
---
bgpd/bgp_packet.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
index dbf6c0b2e99..45752a8ab6d 100644
--- a/bgpd/bgp_packet.c
+++ b/bgpd/bgp_packet.c
@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
"%s CAPABILITY has action: %d, code: %u, length %u",
peer->host, action, hdr->code, hdr->length);
+ if (hdr->length < sizeof(struct capability_mp_data)) {
+ zlog_info(
+ "%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
+ peer, sizeof(struct capability_mp_data),
+ hdr->length);
+ return BGP_Stop;
+ }
+
/* Capability length check. */
if ((pnt + hdr->length + 3) > end) {
zlog_info("%s Capability length error", peer->host);

View File

@ -1,4 +1,4 @@
/usr/libexec/frr(/.*)? gen_context(system_u:object_r:frr_exec_t,s0)
/usr/libexec/frr/(.*)? gen_context(system_u:object_r:frr_exec_t,s0)
/usr/lib/systemd/system/frr.* gen_context(system_u:object_r:frr_unit_file_t,s0)

View File

@ -1,162 +0,0 @@
## <summary>policy for frr</summary>
########################################
## <summary>
## Execute frr_exec_t in the frr domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`frr_domtrans',`
gen_require(`
type frr_t, frr_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1, frr_exec_t, frr_t)
')
######################################
## <summary>
## Execute frr in the caller domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_exec',`
gen_require(`
type frr_exec_t;
')
corecmd_search_bin($1)
can_exec($1, frr_exec_t)
')
########################################
## <summary>
## Read frr's log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
## <rolecap/>
#
interface(`frr_read_log',`
gen_require(`
type frr_log_t;
')
read_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Append to frr log files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_append_log',`
gen_require(`
type frr_log_t;
')
append_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Manage frr log files
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_manage_log',`
gen_require(`
type frr_log_t;
')
manage_dirs_pattern($1, frr_log_t, frr_log_t)
manage_files_pattern($1, frr_log_t, frr_log_t)
manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
optional_policy(`
logging_search_logs($1)
')
')
########################################
## <summary>
## Read frr PID files.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_read_pid_files',`
gen_require(`
type frr_var_run_t;
')
files_search_pids($1)
read_files_pattern($1, frr_var_run_t, frr_var_run_t)
')
########################################
## <summary>
## All of the rules required to administrate
## an frr environment
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`frr_admin',`
gen_require(`
type frr_t;
type frr_log_t;
type frr_var_run_t;
')
allow $1 frr_t:process { signal_perms };
ps_process_pattern($1, frr_t)
tunable_policy(`deny_ptrace',`',`
allow $1 frr_t:process ptrace;
')
admin_pattern($1, frr_log_t)
files_search_pids($1)
admin_pattern($1, frr_var_run_t)
optional_policy(`
logging_search_logs($1)
')
optional_policy(`
systemd_passwd_agent_exec($1)
systemd_read_fifo_file_passwd_run($1)
')
')

View File

@ -31,7 +31,7 @@ files_pid_file(frr_var_run_t)
#
# frr local policy
#
allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid };
allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
allow frr_t self:packet_socket create;
allow frr_t self:process { setcap setpgid };
@ -68,7 +68,7 @@ allow frr_t frr_exec_t:dir search_dir_perms;
can_exec(frr_t, frr_exec_t)
kernel_read_network_state(frr_t)
kernel_read_net_sysctls(frr_t)
kernel_rw_net_sysctls(frr_t)
kernel_read_system_state(frr_t)
auth_use_nsswitch(frr_t)
@ -79,6 +79,7 @@ corenet_tcp_bind_appswitch_emp_port(frr_t)
corenet_udp_bind_bfd_control_port(frr_t)
corenet_udp_bind_bfd_echo_port(frr_t)
corenet_tcp_bind_bgp_port(frr_t)
corenet_tcp_connect_bgp_port(frr_t)
corenet_udp_bind_all_unreserved_ports(frr_t);
corenet_tcp_bind_generic_port(frr_t)
corenet_tcp_bind_firepower_port(frr_t)
@ -92,6 +93,7 @@ corenet_tcp_bind_zebra_port(frr_t)
domain_use_interactive_fds(frr_t)
fs_read_nsfs_files(frr_t)
fs_search_cgroup_dirs(frr_t)
sysnet_exec_ifconfig(frr_t)
@ -118,4 +120,5 @@ optional_policy(`
optional_policy(`
userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr")
')

View File

@ -7,7 +7,7 @@
Name: frr
Version: 7.5.1
Release: 3%{?checkout}%{?dist}
Release: 7%{?checkout}%{?dist}
Summary: Routing daemon
License: GPLv2+
URL: http://www.frrouting.org
@ -34,7 +34,7 @@ Requires: iproute
Requires: initscripts
%if 0%{?with_selinux}
Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
%endif
Provides: routingdaemon = %{version}-%{release}
@ -51,6 +51,8 @@ Patch0008: 0008-designated-router.patch
Patch0009: 0009-routemap.patch
Patch0010: 0010-moving-executables.patch
Patch0011: 0011-reload-bfd-profile.patch
Patch0012: 0012-graceful-restart.patch
Patch0013: 0013-CVE-2022-37032.patch
%description
FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -215,8 +217,10 @@ fi
%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
%selinux_relabel_post -s %{selinuxtype}
#/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
if [ $1 == 2 ]; then
%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
fi
%postun selinux
if [ $1 -eq 0 ]; then
@ -269,6 +273,18 @@ make check PYTHON=%{__python3}
%endif
%changelog
* Wed Nov 30 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
* Tue Nov 29 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6
- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context
* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-5
- Resolves: #2127140 - Frr is unable to push routes to the system routing table
* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
- Resolves: #1948422 - BGP incorrectly withdraws routes on graceful restart capable routers
* Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
- Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile