Merge pull request #1880 from pguibert6WIND/enforce_vrf_netns_enable

lib: enforce vrf netns if setns() returns ok

lib/vrf.c

@@ -33,6 +33,7 @@
 #include "memory.h"
 #include "command.h"
 #include "ns.h"
+#include "privs.h"
 
 /* default VRF ID value used when VRF backend is not NETNS */
 #define VRF_DEFAULT_INTERNAL 0
@@ -52,6 +53,7 @@ struct vrf_id_head vrfs_by_id = RB_INITIALIZER(&vrfs_by_id);
 struct vrf_name_head vrfs_by_name = RB_INITIALIZER(&vrfs_by_name);
 
 static int vrf_backend;
+static struct zebra_privs_t *vrf_daemon_privs;
 
 /*
  * Turn on/off debug code
@@ -690,14 +692,24 @@ DEFUN_NOSH (vrf_netns,
 	    "Attach VRF to a Namespace\n"
 	    "The file name in " NS_RUN_DIR ", or a full pathname\n")
 {
-	int idx_name = 1;
+	int idx_name = 1, ret;
 	char *pathname = ns_netns_pathname(vty, argv[idx_name]->arg);
 
 	VTY_DECLVAR_CONTEXT(vrf, vrf);
 
 	if (!pathname)
 		return CMD_WARNING_CONFIG_FAILED;
-	return vrf_netns_handler_create(vty, vrf, pathname, NS_UNKNOWN);
+
+	if (vrf_daemon_privs &&
+	    vrf_daemon_privs->change(ZPRIVS_RAISE))
+		zlog_err("%s: Can't raise privileges", __func__);
+
+	ret = vrf_netns_handler_create(vty, vrf, pathname, NS_UNKNOWN);
+
+	if (vrf_daemon_privs &&
+	    vrf_daemon_privs->change(ZPRIVS_LOWER))
+		zlog_err("%s: Can't lower privileges", __func__);
+	return ret;
 }
 
 DEFUN (no_vrf_netns,
@@ -779,14 +791,16 @@ void vrf_install_commands(void)
 	install_element(ENABLE_NODE, &no_vrf_debug_cmd);
 }
 
-void vrf_cmd_init(int (*writefunc)(struct vty *vty))
+void vrf_cmd_init(int (*writefunc)(struct vty *vty),
+		  struct zebra_privs_t *daemon_privs)
 {
 	install_element(CONFIG_NODE, &vrf_cmd);
 	install_element(CONFIG_NODE, &no_vrf_cmd);
 	install_node(&vrf_node, writefunc);
 	install_default(VRF_NODE);
 	if (vrf_is_backend_netns() && ns_have_netns()) {
 		/* Install NS commands. */
+		vrf_daemon_privs = daemon_privs;
 		install_element(VRF_NODE, &vrf_netns_cmd);
 		install_element(VRF_NODE, &no_vrf_netns_cmd);
 	}

lib/vrf.h

@@ -242,7 +242,8 @@ extern int vrf_switchback_to_initial(void);
 
 /* VRF vty command initialisation
  */
-extern void vrf_cmd_init(int (*writefunc)(struct vty *vty));
+extern void vrf_cmd_init(int (*writefunc)(struct vty *vty),
+			 struct zebra_privs_t *daemon_priv);
 
 /* VRF vty debugging
  */

pimd/pim_instance.c

@@ -214,7 +214,7 @@ void pim_vrf_init(void)
 {
 	vrf_init(pim_vrf_new, pim_vrf_enable, pim_vrf_disable, pim_vrf_delete);
 
-	vrf_cmd_init(pim_vrf_config_write);
+	vrf_cmd_init(pim_vrf_config_write, &pimd_privs);
 }
 
 void pim_vrf_terminate(void)

zebra/zebra_netns_notify.c

@@ -92,7 +92,11 @@ static void zebra_ns_notify_create_context_from_entry_name(const char *name)
 		zlog_warn("NS notify : failed to create VRF %s", name);
 		return;
 	}
+	if (zserv_privs.change(ZPRIVS_RAISE))
+		zlog_err("Can't raise privileges");
 	ret = vrf_netns_handler_create(NULL, vrf, netnspath, ns_id);
+	if (zserv_privs.change(ZPRIVS_LOWER))
+		zlog_err("Can't lower privileges");
 	if (ret != CMD_SUCCESS) {
 		zlog_warn("NS notify : failed to create NS %s", netnspath);
 		return;

zebra/zebra_vrf.c

@@ -39,6 +39,7 @@
 #include "zebra/interface.h"
 #include "zebra/zebra_mpls.h"
 #include "zebra/zebra_vxlan.h"
+#include "zebra/zebra_netns_notify.h"
 
 extern struct zebra_t zebrad;
 
@@ -587,5 +588,5 @@ void zebra_vrf_init(void)
 	vrf_init(zebra_vrf_new, zebra_vrf_enable, zebra_vrf_disable,
 		 zebra_vrf_delete);
 
-	vrf_cmd_init(vrf_config_write);
+	vrf_cmd_init(vrf_config_write, &zserv_privs);
 }