v10.3

Resolves: #2311120 - AVCs for using a netlink socket in FRR

.gitignore

@@ -21,3 +21,4 @@
 /frr-9.1.tar.gz
 /frr-10.0.1.tar.gz
 /frr-10.1.tar.gz
+/frr-10.2.tar.gz

0006-autorp-segfault.patch

@@ -0,0 +1,41 @@
+From 37b88191fb4736ff0a1e565fc22003d0ab853ea2 Mon Sep 17 00:00:00 2001
+From: Donald Sharp <sharpd@nvidia.com>
+Date: Wed, 4 Dec 2024 10:47:33 -0500
+Subject: [PATCH] pimd: Prevent crash of pim when auto-rp's socket is not
+ initialized
+
+If the socket associated with the auto-rp fails to initialize then
+the memory for the auto-rp is just dropped on the floor.  Additionally
+any type of attempt at using the feature will just cause pimd to crash,
+when the pointer is derefed.  Since it is derefed all over the place
+without checking.
+
+Clearly if you cannot bind/use the socket let's allow continuation.
+
+Fixes: #17540
+Signed-off-by: Donald Sharp <sharpd@nvidia.com>
+---
+ pimd/pim_autorp.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/pimd/pim_autorp.c b/pimd/pim_autorp.c
+index 3fb10f4..91ed005 100644
+--- a/pimd/pim_autorp.c
++++ b/pimd/pim_autorp.c
+@@ -1014,12 +1014,14 @@ void pim_autorp_init(struct pim_instance *pim)
+ 	autorp->announce_interval = DEFAULT_ANNOUNCE_INTERVAL;
+ 	autorp->announce_holdtime = DEFAULT_ANNOUNCE_HOLDTIME;
+ 
++	pim->autorp = autorp;
++
+ 	if (!pim_autorp_socket_enable(autorp)) {
+-		zlog_err("%s: AutoRP failed to initialize", __func__);
++		zlog_err("%s: AutoRP failed to initialize, feature will not work correctly",
++				__func__);
+ 		return;
+ 	}
+ 
+-	pim->autorp = autorp;
+ 	if (PIM_DEBUG_AUTORP)
+ 		zlog_debug("%s: AutoRP Initialized", __func__);
+ 

0006-noprefixroute-network-manager.patch

@@ -1,167 +0,0 @@
---- b/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py
-+++ a/tests/topotests/zebra_multiple_connected/test_zebra_multiple_connected.py
-@@ -144,23 +144,6 @@
-     assert result is None, "Kernel route is missing from zebra"
- 
- 
--def test_zebra_noprefix_connected():
--    "Test that a noprefixroute created does not create a connected route"
--
--    tgen = get_topogen()
--    if tgen.routers_have_failure():
--        pytest.skip(tgen.errors)
--
--    router = tgen.gears["r1"]
--    router.run("ip addr add 192.168.44.1/24 dev r1-eth1 noprefixroute")
--    expected = "% Network not in table"
--    test_func = partial(
--        topotest.router_output_cmp, router, "show ip route 192.168.44.0/24", expected
--    )
--    result, diff = topotest.run_and_expect(test_func, "", count=20, wait=1)
--    assert result, "Connected Route should not have been added"
--
--
- if __name__ == "__main__":
-     args = ["-s"] + sys.argv[1:]
-     sys.exit(pytest.main(args))
---- b/zebra/if_netlink.c
-+++ a/zebra/if_netlink.c
-@@ -1423,9 +1423,6 @@
- 	if (kernel_flags & IFA_F_SECONDARY)
- 		dplane_ctx_intf_set_secondary(ctx);
- 
--	if (kernel_flags & IFA_F_NOPREFIXROUTE)
--		dplane_ctx_intf_set_noprefixroute(ctx);
--
- 	/* Label */
- 	if (tb[IFA_LABEL]) {
- 		label = (char *)RTA_DATA(tb[IFA_LABEL]);
---- b/zebra/zebra_dplane.c
-+++ a/zebra/zebra_dplane.c
-@@ -230,7 +230,6 @@
- #define DPLANE_INTF_BROADCAST   (1 << 2)
- #define DPLANE_INTF_HAS_DEST    DPLANE_INTF_CONNECTED
- #define DPLANE_INTF_HAS_LABEL   (1 << 4)
--#define DPLANE_INTF_NOPREFIXROUTE (1 << 5)
- 
- 	/* Interface address/prefix */
- 	struct prefix prefix;
-@@ -2542,13 +2541,6 @@
- 	return (ctx->u.intf.flags & DPLANE_INTF_CONNECTED);
- }
- 
--bool dplane_ctx_intf_is_noprefixroute(const struct zebra_dplane_ctx *ctx)
--{
--	DPLANE_CTX_VALID(ctx);
--
--	return (ctx->u.intf.flags & DPLANE_INTF_NOPREFIXROUTE);
--}
--
- bool dplane_ctx_intf_is_secondary(const struct zebra_dplane_ctx *ctx)
- {
- 	DPLANE_CTX_VALID(ctx);
-@@ -2577,13 +2569,6 @@
- 	ctx->u.intf.flags |= DPLANE_INTF_SECONDARY;
- }
- 
--void dplane_ctx_intf_set_noprefixroute(struct zebra_dplane_ctx *ctx)
--{
--	DPLANE_CTX_VALID(ctx);
--
--	ctx->u.intf.flags |= DPLANE_INTF_NOPREFIXROUTE;
--}
--
- void dplane_ctx_intf_set_broadcast(struct zebra_dplane_ctx *ctx)
- {
- 	DPLANE_CTX_VALID(ctx);
---- b/zebra/zebra_dplane.h
-+++ a/zebra/zebra_dplane.h
-@@ -658,8 +658,6 @@
- void dplane_ctx_intf_set_connected(struct zebra_dplane_ctx *ctx);
- bool dplane_ctx_intf_is_secondary(const struct zebra_dplane_ctx *ctx);
- void dplane_ctx_intf_set_secondary(struct zebra_dplane_ctx *ctx);
--bool dplane_ctx_intf_is_noprefixroute(const struct zebra_dplane_ctx *ctx);
--void dplane_ctx_intf_set_noprefixroute(struct zebra_dplane_ctx *ctx);
- bool dplane_ctx_intf_is_broadcast(const struct zebra_dplane_ctx *ctx);
- void dplane_ctx_intf_set_broadcast(struct zebra_dplane_ctx *ctx);
- const struct prefix *dplane_ctx_get_intf_addr(
---- b/lib/if.h
-+++ a/lib/if.h
-@@ -434,8 +434,6 @@
- #define ZEBRA_IFA_SECONDARY    (1 << 0)
- #define ZEBRA_IFA_PEER         (1 << 1)
- #define ZEBRA_IFA_UNNUMBERED   (1 << 2)
--#define ZEBRA_IFA_NOPREFIXROUTE (1 << 3)
--
- 	/* N.B. the ZEBRA_IFA_PEER flag should be set if and only if
- 	   a peer address has been configured.  If this flag is set,
- 	   the destination field must contain the peer address.
---- b/zebra/connected.c
-+++ a/zebra/connected.c
-@@ -282,15 +282,13 @@
- 			return;
- 	}
- 
-+	rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0,
-+		flags, &p, NULL, &nh, 0, zvrf->table_id, metric, 0, 0, 0,
-+		false);
--	if (!CHECK_FLAG(ifc->flags, ZEBRA_IFA_NOPREFIXROUTE)) {
--		rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id,
--			ZEBRA_ROUTE_CONNECT, 0, flags, &p, NULL, &nh, 0,
--			zvrf->table_id, metric, 0, 0, 0, false);
- 
-+	rib_add(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0,
-+		flags, &p, NULL, &nh, 0, zvrf->table_id, metric, 0, 0, 0,
-+		false);
--		rib_add(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id,
--			ZEBRA_ROUTE_CONNECT, 0, flags, &p, NULL, &nh, 0,
--			zvrf->table_id, metric, 0, 0, 0, false);
--	}
- 
- 	if (install_local) {
- 		rib_add(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_LOCAL,
-@@ -483,15 +481,11 @@
- 	 * Same logic as for connected_up(): push the changes into the
- 	 * head.
- 	 */
-+	rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT, 0,
-+		   0, &p, NULL, &nh, 0, zvrf->table_id, 0, 0, false);
--	if (!CHECK_FLAG(ifc->flags, ZEBRA_IFA_NOPREFIXROUTE)) {
--		rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id,
--			   ZEBRA_ROUTE_CONNECT, 0, 0, &p, NULL, &nh, 0,
--			   zvrf->table_id, 0, 0, false);
- 
-+	rib_delete(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id, ZEBRA_ROUTE_CONNECT,
-+		   0, 0, &p, NULL, &nh, 0, zvrf->table_id, 0, 0, false);
--		rib_delete(afi, SAFI_MULTICAST, zvrf->vrf->vrf_id,
--			   ZEBRA_ROUTE_CONNECT, 0, 0, &p, NULL, &nh, 0,
--			   zvrf->table_id, 0, 0, false);
--	}
- 
- 	if (remove_local) {
- 		rib_delete(afi, SAFI_UNICAST, zvrf->vrf->vrf_id,
---- b/zebra/interface.c
-+++ a/zebra/interface.c
-@@ -1317,9 +1317,6 @@
- 	if (dplane_ctx_intf_is_secondary(ctx))
- 		SET_FLAG(flags, ZEBRA_IFA_SECONDARY);
- 
--	if (dplane_ctx_intf_is_noprefixroute(ctx))
--		SET_FLAG(flags, ZEBRA_IFA_NOPREFIXROUTE);
--
- 	/* Label? */
- 	if (dplane_ctx_intf_has_label(ctx))
- 		label = dplane_ctx_get_intf_label(ctx);
-@@ -2337,12 +2334,6 @@
- 	else if (CHECK_FLAG(connected->flags, ZEBRA_IFA_SECONDARY))
- 		vty_out(vty, " secondary");
- 
--	if (json)
--		json_object_boolean_add(json_addr, "noPrefixRoute",
--					CHECK_FLAG(connected->flags, ZEBRA_IFA_NOPREFIXROUTE));
--	else if (CHECK_FLAG(connected->flags, ZEBRA_IFA_NOPREFIXROUTE))
--		vty_out(vty, " noprefixroute");
--
- 	if (json)
- 		json_object_boolean_add(
- 			json_addr, "unnumbered",

frr.fc

@@ -6,6 +6,7 @@
 
 /var/log/frr(/.*)?              gen_context(system_u:object_r:frr_log_t,s0)
 /var/tmp/frr(/.*)?              gen_context(system_u:object_r:frr_tmp_t,s0)
+/var/lib/frr(/.*)?              gen_context(system_u:object_r:frr_var_lib_t,s0)
 
 /run/lock/subsys/bfdd       --  gen_context(system_u:object_r:frr_lock_t,s0)
 /run/lock/subsys/bgpd       --  gen_context(system_u:object_r:frr_lock_t,s0)

frr.spec

@@ -1,3 +1,5 @@
+%global dist .ims.1%{?dist}
+
 %global frr_libdir %{_libexecdir}/frr
 
 %global _hardened_build 1
@@ -8,7 +10,7 @@
 %bcond selinux 1
 
 Name:           frr
-Version:        10.1
+Version:        10.3
 Release:        1%{?dist}
 Summary:        Routing daemon
 License:        GPL-2.0-or-later AND ISC AND LGPL-2.0-or-later AND BSD-2-Clause AND BSD-3-Clause AND (GPL-2.0-or-later  OR ISC) AND MIT
@@ -26,7 +28,7 @@ Patch0002:      0002-enable-openssl.patch
 Patch0003:      0003-disable-eigrp-crypto.patch
 Patch0004:      0004-fips-mode.patch
 Patch0005:      0005-remove-grpc-test.patch
-Patch0006:      0006-noprefixroute-network-manager.patch
+Patch0006:      0006-autorp-segfault.patch
 
 BuildRequires:  autoconf
 BuildRequires:  automake
@@ -117,7 +119,7 @@ autoreconf -ivf
     --sysconfdir=%{_sysconfdir}/frr \
     --libdir=%{_libdir}/frr \
     --libexecdir=%{_libexecdir}/frr \
-    --localstatedir=/run/frr \
+    --localstatedir=/var \
     --enable-multipath=64 \
     --enable-vtysh=yes \
     --disable-ospfclient \
@@ -135,6 +137,7 @@ autoreconf -ivf
     --with-moduledir=%{_libdir}/frr/modules \
     --with-yangmodelsdir=%{_datadir}/frr-yang/ \
     --with-crypto=openssl \
+    --with-vici-socket=/run/strongswan/charon.vici \
     --enable-fpm \
     %{?with_grpc:--enable-grpc}
 
@@ -277,6 +280,22 @@ rm tests/lib/*grpc*
 %endif
 
 %changelog
+* Thu Dec 05 2024 Michal Ruprich <mruprich@redhat.com> - 10.2-2
+- Resolves: rhbz#2329643 - upgrading frr to 10.2 causes pimd crashes
+
+* Fri Nov 22 2024 Michal Ruprich <mruprich@redhat.com> - 10.2-1
+- New version 10.2
+
+* Tue Sep 10 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-4
+- Resolves: #2311119 - Multiple AVCs for accessing lib_t in FRR-10.1
+- Resolves: #2311120 - AVCs for using a netlink socket in FRR
+
+* Sun Aug 25 2024 Benjamin A. Beasley <code@musicinmybrain.net> - 10.1-3
+- Rebuilt for abseil-cpp-20240722.0
+
+* Thu Aug 15 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-2
+- Rebuilding for the libre soname bump
+
 * Mon Aug 12 2024 Michal Ruprich <mruprich@redhat.com> - 10.1-1
 - New version 10.1
 

frr.te

@@ -27,12 +27,20 @@ systemd_unit_file(frr_unit_file_t)
 type frr_var_run_t;
 files_pid_file(frr_var_run_t)
 
+type frr_var_lib_t;
+files_type(frr_var_lib_t)
+
 ########################################
 #
 # frr local policy
 #
 allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
+allow frr_t self:netlink_generic_socket create;
+allow frr_t self:netlink_generic_socket setopt;
+allow frr_t self:netlink_generic_socket getopt;
+allow frr_t self:netlink_generic_socket getattr;
+allow frr_t self:netlink_generic_socket bind;
 allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
@@ -49,6 +57,10 @@ manage_files_pattern(frr_t, frr_log_t, frr_log_t)
 manage_lnk_files_pattern(frr_t, frr_log_t, frr_log_t)
 logging_log_filetrans(frr_t, frr_log_t, { dir file lnk_file })
 
+manage_dirs_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
+manage_files_pattern(frr_t, frr_var_lib_t, frr_var_lib_t)
+files_var_lib_filetrans(frr_t, frr_var_lib_t, { dir file })
+
 allow frr_t frr_tmp_t:file map;
 manage_dirs_pattern(frr_t, frr_tmp_t, frr_tmp_t)
 manage_files_pattern(frr_t, frr_tmp_t, frr_tmp_t)
@@ -92,6 +104,8 @@ corenet_tcp_bind_qpasa_agent_port(frr_t)
 corenet_tcp_bind_smntubootstrap_port(frr_t)
 corenet_tcp_bind_versa_tek_port(frr_t)
 corenet_tcp_bind_zebra_port(frr_t)
+# general reserved port for pimd
+corenet_tcp_bind_reserved_port(frr_t)
 
 domain_use_interactive_fds(frr_t)
 

sources

@@ -1,2 +1,2 @@
-SHA512 (frr-10.1.tar.gz) = 7484238a502ab12f178e4a210e6e4a33d0ce53edbb49b127fdc3167e31dd61c1122c1ef2d30e4bcb83b7f520b37fb9ad73e2a6a16790b608b1adf2e23b556445
+SHA512 (frr-10.2.tar.gz) = 40a0e1f1a7f2cc137aac6e838b2f865b93fdc1cd6bd0f6c5b15b4507cbff87cb60092682e45aca68633cb053fb2ce663386edb78e5d3c5f890f4666e871ab8c5
 SHA512 (remove-babeld-ldpd.sh) = a5bf67a3722cb20d43cef1dac28f839db68df73a1b7d34d8438e4f9366da3b67d85c1f44281f93434e8dd8ebcb2d3dc258b77eaa5627475b7395d207f020839d