import frr-7.5.1-7.el8

.frr.metadata

@@ -1 +1,2 @@
 dfc756dfd123360d1e1a760d66821e47f9a6afed SOURCES/frr-7.5.1.tar.gz
+e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if

.gitignore

@@ -1 +1,2 @@
 SOURCES/frr-7.5.1.tar.gz
+SOURCES/frr.if

SOURCES/0012-graceful-restart.patch

@@ -0,0 +1,79 @@
+From 12f9f8472d0f8cfc026352906b8e5342df2846cc Mon Sep 17 00:00:00 2001
+From: Donatas Abraitis <donatas@opensourcerouting.org>
+Date: Tue, 27 Sep 2022 17:30:16 +0300
+Subject: [PATCH] bgpd: Do not send Deconfig/Shutdown message when restarting
+
+We might disable sending unconfig/shutdown notifications when
+Graceful-Restart is enabled and negotiated.
+
+Signed-off-by: Donatas Abraitis <donatas@opensourcerouting.org>
+---
+ bgpd/bgpd.c | 35 ++++++++++++++++++++++++++---------
+ 1 file changed, 26 insertions(+), 9 deletions(-)
+
+diff --git a/bgpd/bgpd.c b/bgpd/bgpd.c
+index 3d4ef7c..f8089c6 100644
+--- a/bgpd/bgpd.c
++++ b/bgpd/bgpd.c
+@@ -2564,11 +2564,34 @@ int peer_group_remote_as(struct bgp *bgp, const char *group_name, as_t *as,
+ 
+ void peer_notify_unconfig(struct peer *peer)
+ {
++	if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
++		if (bgp_debug_neighbor_events(peer))
++			zlog_debug(
++				"%pBP configured Graceful-Restart, skipping unconfig notification",
++				peer);
++		return;
++	}
++
+ 	if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
+ 		bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+ 				BGP_NOTIFY_CEASE_PEER_UNCONFIG);
+ }
+ 
++static void peer_notify_shutdown(struct peer *peer)
++{
++	if (BGP_PEER_GRACEFUL_RESTART_CAPABLE(peer)) {
++		if (bgp_debug_neighbor_events(peer))
++			zlog_debug(
++				"%pBP configured Graceful-Restart, skipping shutdown notification",
++				peer);
++		return;
++	}
++
++	if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
++		bgp_notify_send(peer, BGP_NOTIFY_CEASE,
++				BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
++}
++
+ void peer_group_notify_unconfig(struct peer_group *group)
+ {
+ 	struct peer *peer, *other;
+@@ -3380,11 +3403,8 @@ int bgp_delete(struct bgp *bgp)
+ 	}
+ 
+ 	/* Inform peers we're going down. */
+-	for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer)) {
+-		if (BGP_IS_VALID_STATE_FOR_NOTIF(peer->status))
+-			bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+-					BGP_NOTIFY_CEASE_ADMIN_SHUTDOWN);
+-	}
++	for (ALL_LIST_ELEMENTS(bgp->peer, node, next, peer))
++		peer_notify_shutdown(peer);
+ 
+ 	/* Delete static routes (networks). */
+ 	bgp_static_delete(bgp);
+@@ -7238,11 +7258,7 @@ void bgp_terminate(void)
+ 
+ 	for (ALL_LIST_ELEMENTS(bm->bgp, mnode, mnnode, bgp))
+ 		for (ALL_LIST_ELEMENTS(bgp->peer, node, nnode, peer))
+-			if (peer->status == Established
+-			    || peer->status == OpenSent
+-			    || peer->status == OpenConfirm)
+-				bgp_notify_send(peer, BGP_NOTIFY_CEASE,
+-						BGP_NOTIFY_CEASE_PEER_UNCONFIG);
++			peer_notify_unconfig(peer);
+ 
+ 	if (bm->process_main_queue)
+ 		work_queue_free_and_null(&bm->process_main_queue);

SOURCES/0013-CVE-2022-37032.patch

@@ -0,0 +1,32 @@
+From ff6db1027f8f36df657ff2e5ea167773752537ed Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Thu, 21 Jul 2022 08:11:58 -0400
+Subject: [PATCH] bgpd: Make sure hdr length is at a minimum of what is
+ expected
+
+Ensure that if the capability length specified is enough data.
+
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+---
+ bgpd/bgp_packet.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
+index dbf6c0b2e99..45752a8ab6d 100644
+--- a/bgpd/bgp_packet.c
++++ b/bgpd/bgp_packet.c
+@@ -2620,6 +2620,14 @@ static int bgp_capability_msg_parse(struct peer *peer, uint8_t *pnt,
+ 				"%s CAPABILITY has action: %d, code: %u, length %u",
+ 				peer->host, action, hdr->code, hdr->length);
+ 
++		if (hdr->length < sizeof(struct capability_mp_data)) {
++			zlog_info(
++				"%pBP Capability structure is not properly filled out, expected at least %zu bytes but header length specified is %d",
++				peer, sizeof(struct capability_mp_data),
++				hdr->length);
++			return BGP_Stop;
++		}
++
+ 		/* Capability length check. */
+ 		if ((pnt + hdr->length + 3) > end) {
+ 			zlog_info("%s Capability length error", peer->host);

SOURCES/frr.fc

@@ -1,4 +1,4 @@
-/usr/libexec/frr(/.*)?        	gen_context(system_u:object_r:frr_exec_t,s0)
+/usr/libexec/frr/(.*)?        	gen_context(system_u:object_r:frr_exec_t,s0)
 
 /usr/lib/systemd/system/frr.*   gen_context(system_u:object_r:frr_unit_file_t,s0)
 

SOURCES/frr.if

@@ -1,162 +0,0 @@
-## <summary>policy for frr</summary>
-
-########################################
-## <summary>
-##	Execute frr_exec_t in the frr domain.
-## </summary>
-## <param name="domain">
-## <summary>
-##	Domain allowed to transition.
-## </summary>
-## </param>
-#
-interface(`frr_domtrans',`
-	gen_require(`
-		type frr_t, frr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	domtrans_pattern($1, frr_exec_t, frr_t)
-')
-
-######################################
-## <summary>
-##	Execute frr in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_exec',`
-	gen_require(`
-		type frr_exec_t;
-	')
-
-	corecmd_search_bin($1)
-	can_exec($1, frr_exec_t)
-')
-
-########################################
-## <summary>
-##	Read frr's log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`frr_read_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	read_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Append to frr log files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_append_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	append_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Manage frr log files
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_manage_log',`
-	gen_require(`
-		type frr_log_t;
-	')
-
-	manage_dirs_pattern($1, frr_log_t, frr_log_t)
-	manage_files_pattern($1, frr_log_t, frr_log_t)
-	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-')
-
-########################################
-## <summary>
-##	Read frr PID files.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_read_pid_files',`
-	gen_require(`
-		type frr_var_run_t;
-	')
-
-	files_search_pids($1)
-	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
-')
-
-########################################
-## <summary>
-##	All of the rules required to administrate
-##	an frr environment
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-interface(`frr_admin',`
-	gen_require(`
-		type frr_t;
-		type frr_log_t;
-		type frr_var_run_t;
-	')
-
-	allow $1 frr_t:process { signal_perms };
-	ps_process_pattern($1, frr_t)
-
-	tunable_policy(`deny_ptrace',`',`
-		allow $1 frr_t:process ptrace;
-	')
-
-	admin_pattern($1, frr_log_t)
-
-	files_search_pids($1)
-	admin_pattern($1, frr_var_run_t)
-	optional_policy(`
-		logging_search_logs($1)
-	')
-	optional_policy(`
-		systemd_passwd_agent_exec($1)
-		systemd_read_fifo_file_passwd_run($1)
-	')
-')

SOURCES/frr.te

@@ -31,7 +31,7 @@ files_pid_file(frr_var_run_t)
 #
 # frr local policy
 #
-allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid };
+allow frr_t self:capability { fowner fsetid chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
 allow frr_t self:packet_socket create;
 allow frr_t self:process { setcap setpgid };
@@ -68,7 +68,7 @@ allow frr_t frr_exec_t:dir search_dir_perms;
 can_exec(frr_t, frr_exec_t)
 
 kernel_read_network_state(frr_t)
-kernel_read_net_sysctls(frr_t)
+kernel_rw_net_sysctls(frr_t)
 kernel_read_system_state(frr_t)
 
 auth_use_nsswitch(frr_t)
@@ -79,6 +79,7 @@ corenet_tcp_bind_appswitch_emp_port(frr_t)
 corenet_udp_bind_bfd_control_port(frr_t)
 corenet_udp_bind_bfd_echo_port(frr_t)
 corenet_tcp_bind_bgp_port(frr_t)
+corenet_tcp_connect_bgp_port(frr_t)
 corenet_udp_bind_all_unreserved_ports(frr_t);
 corenet_tcp_bind_generic_port(frr_t)
 corenet_tcp_bind_firepower_port(frr_t)
@@ -92,6 +93,7 @@ corenet_tcp_bind_zebra_port(frr_t)
 domain_use_interactive_fds(frr_t)
 
 fs_read_nsfs_files(frr_t)
+fs_search_cgroup_dirs(frr_t)
 
 sysnet_exec_ifconfig(frr_t)
 
@@ -118,4 +120,5 @@ optional_policy(`
 
 optional_policy(`
 	userdom_admin_home_dir_filetrans(frr_t, frr_conf_t, file, ".history_frr")
+	userdom_inherit_append_admin_home_files(frr_t, frr_conf_t, file, ".history_frr")
 ')

SPECS/frr.spec

@@ -7,7 +7,7 @@
 
 Name: frr
 Version: 7.5.1
-Release: 3%{?checkout}%{?dist}
+Release: 7%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@@ -34,7 +34,7 @@ Requires: iproute
 Requires: initscripts
 
 %if 0%{?with_selinux}
-Requires: (%{name}-selinux if selinux-policy-%{selinuxtype})
+Requires: (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
 %endif
 
 Provides: routingdaemon = %{version}-%{release}
@@ -51,6 +51,8 @@ Patch0008: 0008-designated-router.patch
 Patch0009: 0009-routemap.patch
 Patch0010: 0010-moving-executables.patch
 Patch0011: 0011-reload-bfd-profile.patch
+Patch0012: 0012-graceful-restart.patch
+Patch0013: 0013-CVE-2022-37032.patch
 
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@@ -215,8 +217,10 @@ fi
 %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{name}.pp.bz2
 %selinux_relabel_post -s %{selinuxtype}
 #/var/tmp and /var/run need to be relabeled as well if FRR is running before upgrade
-%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
-%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+if [ $1 == 2 ]; then
+	%{_sbindir}/restorecon -R /var/tmp/frr &> /dev/null
+	%{_sbindir}/restorecon -R /var/run/frr &> /dev/null
+fi
 
 %postun selinux
 if [ $1 -eq 0 ]; then
@@ -269,6 +273,18 @@ make check PYTHON=%{__python3}
 %endif
 
 %changelog
+* Wed Nov 30 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-7
+- Resolves: #2128737 - out-of-bounds read in the BGP daemon may lead to information disclosure or denial of service
+
+* Tue Nov 29 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-6
+- Resolves: #1939516 - frr service cannot reload itself, due to executing in the wrong SELinux context
+
+* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-5
+- Resolves: #2127140 - Frr is unable to push routes to the system routing table
+
+* Mon Nov 14 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-4
+- Resolves: #1948422 - BGP incorrectly withdraws routes on graceful restart capable routers
+
 * Thu Aug 25 2022 Michal Ruprich <mruprich@redhat.com> - 7.5.1-3
 - Resolves: #2054160 - FRR reloader does not disable BFD when unsetting BFD profile