zlog_debug("Peer address not learnt: Returning from connect");
return 0;
}
- if (bgpd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
+ frr_elevate_privs(&bgpd_privs) {
/* Make socket for the peer. */
- peer->fd = vrf_sockunion_socket(&peer->su, peer->bgp->vrf_id,
- bgp_get_bound_name(peer));
- if (bgpd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ peer->fd = vrf_sockunion_socket(&peer->su, peer->bgp->vrf_id,
+ bgp_get_bound_name(peer));
+ }
if (peer->fd < 0)
return -1;
peer->host, safe_strerror(errno));
#ifdef IPTOS_PREC_INTERNETCONTROL
- if (bgpd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not raise privs",
- __func__);
- if (sockunion_family(&peer->su) == AF_INET)
- setsockopt_ipv4_tos(peer->fd, IPTOS_PREC_INTERNETCONTROL);
- else if (sockunion_family(&peer->su) == AF_INET6)
- setsockopt_ipv6_tclass(peer->fd, IPTOS_PREC_INTERNETCONTROL);
- if (bgpd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not lower privs",
- __func__);
+ frr_elevate_privs(&bgpd_privs) {
+ if (sockunion_family(&peer->su) == AF_INET)
+ setsockopt_ipv4_tos(peer->fd, IPTOS_PREC_INTERNETCONTROL);
+ else if (sockunion_family(&peer->su) == AF_INET6)
+ setsockopt_ipv6_tclass(peer->fd, IPTOS_PREC_INTERNETCONTROL);
+ }
#endif
if (peer->password)
sockopt_reuseaddr(sock);
sockopt_reuseport(sock);
- if (bgpd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not raise privs",
- __func__);
+ frr_elevate_privs(&bgpd_privs) {
#ifdef IPTOS_PREC_INTERNETCONTROL
- if (sa->sa_family == AF_INET)
- setsockopt_ipv4_tos(sock, IPTOS_PREC_INTERNETCONTROL);
- else if (sa->sa_family == AF_INET6)
- setsockopt_ipv6_tclass(sock, IPTOS_PREC_INTERNETCONTROL);
+ if (sa->sa_family == AF_INET)
+ setsockopt_ipv4_tos(sock, IPTOS_PREC_INTERNETCONTROL);
+ else if (sa->sa_family == AF_INET6)
+ setsockopt_ipv6_tclass(sock, IPTOS_PREC_INTERNETCONTROL);
#endif
- sockopt_v6only(sa->sa_family, sock);
+ sockopt_v6only(sa->sa_family, sock);
- ret = bind(sock, sa, salen);
- en = errno;
- if (bgpd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not lower privs",
- __func__);
+ ret = bind(sock, sa, salen);
+ en = errno;
+ }
if (ret < 0) {
flog_err_sys(LIB_ERR_SOCKET, "bind: %s", safe_strerror(en));
snprintf(port_str, sizeof(port_str), "%d", port);
port_str[sizeof(port_str) - 1] = '\0';
- if (bgpd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- ret = vrf_getaddrinfo(address, port_str, &req, &ainfo_save,
- bgp->vrf_id);
- if (bgpd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&bgpd_privs) {
+ ret = vrf_getaddrinfo(address, port_str, &req, &ainfo_save,
+ bgp->vrf_id);
+ }
if (ret != 0) {
flog_err_sys(LIB_ERR_SOCKET, "getaddrinfo: %s",
gai_strerror(ret));
if (ainfo->ai_family != AF_INET && ainfo->ai_family != AF_INET6)
continue;
- if (bgpd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- sock = vrf_socket(ainfo->ai_family, ainfo->ai_socktype,
- ainfo->ai_protocol, bgp->vrf_id,
- (bgp->inst_type == BGP_INSTANCE_TYPE_VRF ?
- bgp->name : NULL));
- if (bgpd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&bgpd_privs) {
+ sock = vrf_socket(ainfo->ai_family,
+ ainfo->ai_socktype,
+ ainfo->ai_protocol, bgp->vrf_id,
+ (bgp->inst_type == BGP_INSTANCE_TYPE_VRF ?
+ bgp->name : NULL));
+ }
if (sock < 0) {
flog_err_sys(LIB_ERR_SOCKET, "socket: %s",
safe_strerror(errno));
/* Check if any work has to be done at all. */
if (eigrp->maxsndbuflen >= buflen)
return;
- if (eigrpd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not raise privs, %s",
- __func__, safe_strerror(errno));
+ frr_elevate_privs(&eigrpd_privs) {
/* Now we try to set SO_SNDBUF to what our caller has requested
* (the MTU of a newly added interface). However, if the OS has
* may allocate more buffer space, than requested, this isn't
* a error.
*/
- setsockopt_so_sendbuf(eigrp->fd, buflen);
- newbuflen = getsockopt_so_sendbuf(eigrp->fd);
- if (newbuflen < 0 || newbuflen < (int)buflen)
- zlog_warn("%s: tried to set SO_SNDBUF to %u, but got %d",
- __func__, buflen, newbuflen);
- if (newbuflen >= 0)
- eigrp->maxsndbuflen = (unsigned int)newbuflen;
- else
- zlog_warn("%s: failed to get SO_SNDBUF", __func__);
- if (eigrpd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not lower privs, %s",
- __func__, safe_strerror(errno));
+ setsockopt_so_sendbuf(eigrp->fd, buflen);
+ newbuflen = getsockopt_so_sendbuf(eigrp->fd);
+ if (newbuflen < 0 || newbuflen < (int)buflen)
+ zlog_warn("%s: tried to set SO_SNDBUF to %u, but got %d",
+ __func__, buflen, newbuflen);
+ if (newbuflen >= 0)
+ eigrp->maxsndbuflen = (unsigned int)newbuflen;
+ else
+ zlog_warn("%s: failed to get SO_SNDBUF", __func__);
+ }
}
int eigrp_if_ipmulticast(struct eigrp *top, struct prefix *p,
{
int retval = ISIS_OK;
- if (isisd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not raise privs, %s",
- __func__, safe_strerror(errno));
+ frr_elevate_privs(&isisd_privs) {
- retval = open_bpf_dev(circuit);
+ retval = open_bpf_dev(circuit);
- if (retval != ISIS_OK) {
- zlog_warn("%s: could not initialize the socket", __func__);
- goto end;
- }
+ if (retval != ISIS_OK) {
+ zlog_warn("%s: could not initialize the socket", __func__);
+ break;
+ }
- if (if_is_broadcast(circuit->interface)) {
- circuit->tx = isis_send_pdu_bcast;
- circuit->rx = isis_recv_pdu_bcast;
- } else {
- zlog_warn("isis_sock_init(): unknown circuit type");
- retval = ISIS_WARNING;
- goto end;
- }
+ if (if_is_broadcast(circuit->interface)) {
+ circuit->tx = isis_send_pdu_bcast;
+ circuit->rx = isis_recv_pdu_bcast;
+ } else {
+ zlog_warn("isis_sock_init(): unknown circuit type");
+ retval = ISIS_WARNING;
+ break;
+ }
-end:
- if (isisd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not lower privs, %s",
- __func__, safe_strerror(errno));
+}
return retval;
}
{
int retval = ISIS_OK;
- if (isisd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not raise privs, %s",
- __func__, safe_strerror(errno));
+ frr_elevate_privs(&isisd_privs) {
- retval = open_dlpi_dev(circuit);
+ retval = open_dlpi_dev(circuit);
- if (retval != ISIS_OK) {
- zlog_warn("%s: could not initialize the socket", __func__);
- goto end;
- }
+ if (retval != ISIS_OK) {
+ zlog_warn("%s: could not initialize the socket", __func__);
+ break;
+ }
- if (circuit->circ_type == CIRCUIT_T_BROADCAST) {
- circuit->tx = isis_send_pdu_bcast;
- circuit->rx = isis_recv_pdu_bcast;
- } else {
- zlog_warn("isis_sock_init(): unknown circuit type");
- retval = ISIS_WARNING;
- goto end;
- }
+ if (circuit->circ_type == CIRCUIT_T_BROADCAST) {
+ circuit->tx = isis_send_pdu_bcast;
+ circuit->rx = isis_recv_pdu_bcast;
+ } else {
+ zlog_warn("isis_sock_init(): unknown circuit type");
+ retval = ISIS_WARNING;
+ break;
+ }
-end:
- if (isisd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not lower privs, %s",
- __func__, safe_strerror(errno));
+}
return retval;
}
{
int retval = ISIS_OK;
- if (isisd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not raise privs, %s",
- __func__, safe_strerror(errno));
+ frr_elevate_privs(&isisd_privs) {
- retval = open_packet_socket(circuit);
+ retval = open_packet_socket(circuit);
- if (retval != ISIS_OK) {
- zlog_warn("%s: could not initialize the socket", __func__);
- goto end;
- }
+ if (retval != ISIS_OK) {
+ zlog_warn("%s: could not initialize the socket", __func__);
+ break;
+ }
/* Assign Rx and Tx callbacks are based on real if type */
- if (if_is_broadcast(circuit->interface)) {
- circuit->tx = isis_send_pdu_bcast;
- circuit->rx = isis_recv_pdu_bcast;
- } else if (if_is_pointopoint(circuit->interface)) {
- circuit->tx = isis_send_pdu_p2p;
- circuit->rx = isis_recv_pdu_p2p;
- } else {
- zlog_warn("isis_sock_init(): unknown circuit type");
- retval = ISIS_WARNING;
- goto end;
- }
+ if (if_is_broadcast(circuit->interface)) {
+ circuit->tx = isis_send_pdu_bcast;
+ circuit->rx = isis_recv_pdu_bcast;
+ } else if (if_is_pointopoint(circuit->interface)) {
+ circuit->tx = isis_send_pdu_p2p;
+ circuit->rx = isis_recv_pdu_p2p;
+ } else {
+ zlog_warn("isis_sock_init(): unknown circuit type");
+ retval = ISIS_WARNING;
+ break;
+ }
-end:
- if (isisd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not lower privs, %s",
- __func__, safe_strerror(errno));
+}
return retval;
}
sock_set_bindany(int fd, int enable)
{
#ifdef HAVE_SO_BINDANY
- if (ldpd_privs.change(ZPRIVS_RAISE))
- log_warn("%s: could not raise privs", __func__);
- if (setsockopt(fd, SOL_SOCKET, SO_BINDANY, &enable,
- sizeof(int)) < 0) {
- if (ldpd_privs.change(ZPRIVS_LOWER))
- log_warn("%s: could not lower privs", __func__);
- log_warn("%s: error setting SO_BINDANY", __func__);
- return (-1);
+ frr_elevate_privs(&ldpd_privs) {
+ if (setsockopt(fd, SOL_SOCKET, SO_BINDANY, &enable,
+ sizeof(int)) < 0) {
+ log_warn("%s: error setting SO_BINDANY", __func__);
+ return (-1);
+ }
}
- if (ldpd_privs.change(ZPRIVS_LOWER))
- log_warn("%s: could not lower privs", __func__);
return (0);
#elif defined(HAVE_IP_FREEBIND)
if (setsockopt(fd, IPPROTO_IP, IP_FREEBIND, &enable, sizeof(int)) < 0) {
/* Make ospf6d's server socket. */
int ospf6_serv_sock(void)
{
- if (ospf6d_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "ospf6_serv_sock: could not raise privs");
-
- ospf6_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_OSPFIGP);
- if (ospf6_sock < 0) {
- zlog_warn("Network: can't create OSPF6 socket.");
- if (ospf6d_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "ospf6_sock_init: could not lower privs");
- return -1;
+ frr_elevate_privs(&ospf6d_privs) {
+
+ ospf6_sock = socket(AF_INET6, SOCK_RAW, IPPROTO_OSPFIGP);
+ if (ospf6_sock < 0) {
+ zlog_warn("Network: can't create OSPF6 socket.");
+ return -1;
+ }
}
- if (ospf6d_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "ospf6_sock_init: could not lower privs");
/* set socket options */
#if 1
* We need to create the VRF table for the pim mroute_socket
*/
if (pim->vrf_id != VRF_DEFAULT) {
- if (pimd_privs.change(ZPRIVS_RAISE))
- flog_err(
- LIB_ERR_PRIVILEGES,
- "pim_mroute_socket_enable: could not raise privs, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&pimd_privs) {
- opt = pim->vrf->data.l.table_id;
- err = setsockopt(pim->mroute_socket, IPPROTO_IP, MRT_TABLE,
- &opt, opt_len);
- if (err) {
- zlog_warn(
- "%s %s: failure: setsockopt(fd=%d,IPPROTO_IP, MRT_TABLE=%d): errno=%d: %s",
- __FILE__, __PRETTY_FUNCTION__,
- pim->mroute_socket, opt, errno,
- safe_strerror(errno));
- return -1;
- }
+ opt = pim->vrf->data.l.table_id;
+ err = setsockopt(pim->mroute_socket, IPPROTO_IP,
+ MRT_TABLE,
+ &opt, opt_len);
+ if (err) {
+ zlog_warn(
+ "%s %s: failure: setsockopt(fd=%d,IPPROTO_IP, MRT_TABLE=%d): errno=%d: %s",
+ __FILE__, __PRETTY_FUNCTION__,
+ pim->mroute_socket, opt, errno,
+ safe_strerror(errno));
+ return -1;
+ }
- if (pimd_privs.change(ZPRIVS_LOWER))
- flog_err(
- LIB_ERR_PRIVILEGES,
- "pim_mroute_socket_enable: could not lower privs, %s",
- safe_strerror(errno));
+ }
}
opt = enable ? MRT_INIT : MRT_DONE;
{
int fd;
- if (pimd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "pim_mroute_socket_enable: could not raise privs, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&pimd_privs) {
- fd = socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);
+ fd = socket(AF_INET, SOCK_RAW, IPPROTO_IGMP);
- if (fd < 0) {
- zlog_warn("Could not create mroute socket: errno=%d: %s", errno,
- safe_strerror(errno));
- return -2;
- }
+ if (fd < 0) {
+ zlog_warn("Could not create mroute socket: errno=%d: %s",
+ errno,
+ safe_strerror(errno));
+ return -2;
+ }
#ifdef SO_BINDTODEVICE
- if (pim->vrf->vrf_id != VRF_DEFAULT
- && setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, pim->vrf->name,
- strlen(pim->vrf->name))) {
- zlog_warn("Could not setsockopt SO_BINDTODEVICE: %s",
- safe_strerror(errno));
- close(fd);
- return -3;
- }
+ if (pim->vrf->vrf_id != VRF_DEFAULT
+ && setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, pim->vrf->name,
+ strlen(pim->vrf->name))) {
+ zlog_warn("Could not setsockopt SO_BINDTODEVICE: %s",
+ safe_strerror(errno));
+ close(fd);
+ return -3;
+ }
#endif
- if (pimd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "pim_mroute_socket_enable: could not lower privs, %s",
- safe_strerror(errno));
+ }
pim->mroute_socket = fd;
if (pim_mroute_set(pim, 1)) {
{
int fd;
- if (pimd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "pim_sockek_raw: could not raise privs, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&pimd_privs) {
- fd = socket(AF_INET, SOCK_RAW, protocol);
+ fd = socket(AF_INET, SOCK_RAW, protocol);
- if (pimd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "pim_socket_raw: could not lower privs, %s",
- safe_strerror(errno));
+ }
if (fd < 0) {
zlog_warn("Could not create raw socket: errno=%d: %s", errno,
{
const int on = 1;
- if (pimd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not raise privs, %s",
- __PRETTY_FUNCTION__, safe_strerror(errno));
+ frr_elevate_privs(&pimd_privs) {
- if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)))
- flog_err_sys(LIB_ERR_SOCKET,
- "%s: Could not turn on IP_HDRINCL option: %s",
- __PRETTY_FUNCTION__, safe_strerror(errno));
+ if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)))
+ zlog_err("%s: Could not turn on IP_HDRINCL option: %s",
+ __PRETTY_FUNCTION__, safe_strerror(errno));
- if (pimd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not lower privs, %s",
- __PRETTY_FUNCTION__, safe_strerror(errno));
+ }
}
/*
int ret = 0;
#ifdef SO_BINDTODEVICE
- if (pimd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not raise privs, %s",
- __PRETTY_FUNCTION__, safe_strerror(errno));
+ frr_elevate_privs(&pimd_privs) {
- ret = setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, ifp->name,
- strlen(ifp->name));
+ ret = setsockopt(fd, SOL_SOCKET, SO_BINDTODEVICE, ifp->name,
+ strlen(ifp->name));
- if (pimd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "%s: could not lower privs, %s",
- __PRETTY_FUNCTION__, safe_strerror(errno));
+ }
#endif
return ret;
setsockopt_ipv4_tos(sock, IPTOS_PREC_INTERNETCONTROL);
#endif
- if (ripd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "rip_create_socket: could not raise privs");
- setsockopt_so_recvbuf(sock, RIP_UDP_RCV_BUF);
- if ((ret = bind(sock, (struct sockaddr *)&addr, sizeof(addr))) < 0)
+ frr_elevate_privs(&ripd_privs) {
+ setsockopt_so_recvbuf(sock, RIP_UDP_RCV_BUF);
+ if ((ret = bind(sock, (struct sockaddr *)&addr, sizeof(addr))) < 0)
- {
- int save_errno = errno;
- if (ripd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "rip_create_socket: could not lower privs");
-
- flog_err_sys(LIB_ERR_SOCKET,
- "%s: Can't bind socket %d to %s port %d: %s",
- __func__, sock, inet_ntoa(addr.sin_addr),
- (int)ntohs(addr.sin_port),
- safe_strerror(save_errno));
-
- close(sock);
- return ret;
- }
+ {
+ int save_errno = errno;
+
+ zlog_err("%s: Can't bind socket %d to %s port %d: %s",
+ __func__,
+ sock, inet_ntoa(addr.sin_addr),
+ (int)ntohs(addr.sin_port), safe_strerror(save_errno));
- if (ripd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "rip_create_socket: could not lower privs");
+ close(sock);
+ return ret;
+ }
+
+ }
return sock;
}
* While this is bogus, privs are available and easy to use
* for this call as a workaround.
*/
- if (ripngd_privs.change(ZPRIVS_RAISE))
- flog_err(
- LIB_ERR_PRIVILEGES,
- "ripng_multicast_join: could not raise privs");
+ frr_elevate_privs(&ripngd_privs) {
- ret = setsockopt(ripng->sock, IPPROTO_IPV6, IPV6_JOIN_GROUP,
- (char *)&mreq, sizeof(mreq));
- save_errno = errno;
+ ret = setsockopt(ripng->sock, IPPROTO_IPV6,
+ IPV6_JOIN_GROUP,
+ (char *)&mreq, sizeof(mreq));
+ save_errno = errno;
- if (ripngd_privs.change(ZPRIVS_LOWER))
- flog_err(
- LIB_ERR_PRIVILEGES,
- "ripng_multicast_join: could not lower privs");
+ }
if (ret < 0 && save_errno == EADDRINUSE) {
/*
#endif /* SIN6_LEN */
ripaddr.sin6_port = htons(RIPNG_PORT_DEFAULT);
- if (ripngd_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "ripng_make_socket: could not raise privs");
+ frr_elevate_privs(&ripngd_privs) {
- ret = bind(sock, (struct sockaddr *)&ripaddr, sizeof(ripaddr));
- if (ret < 0) {
- flog_err_sys(LIB_ERR_SOCKET, "Can't bind ripng socket: %s.",
- safe_strerror(errno));
- if (ripngd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "ripng_make_socket: could not lower privs");
- goto error;
+ ret = bind(sock, (struct sockaddr *)&ripaddr, sizeof(ripaddr));
+ if (ret < 0) {
+ zlog_err("Can't bind ripng socket: %s.", safe_strerror(errno));
+ goto error;
+ }
}
- if (ripngd_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "ripng_make_socket: could not lower privs");
return sock;
error:
--- /dev/null
+@@
+identifier change;
+identifier end;
+expression E, f, g;
+iterator name frr_elevate_privs;
+@@
+
+- if (E.change(ZPRIVS_RAISE))
+- f;
++ frr_elevate_privs(&E) {
+ <+...
+- goto end;
++ break;
+ ...+>
+- end:
+- if (E.change(ZPRIVS_LOWER))
+- g;
++ }
+
+@@
+identifier change, errno, safe_strerror, exit;
+expression E, f1, f2, f3, ret, fn;
+iterator name frr_elevate_privs;
+@@
+
+ if (E.change(ZPRIVS_RAISE))
+ f1;
+ ...
+ if (...) {
+- int save_errno = errno;
+ ...
+- if (E.change(ZPRIVS_LOWER))
+- f2;
+ ...
+- safe_strerror(save_errno)
++ safe_strerror(errno)
+ ...
+ \( return ret; \| exit(ret); \)
+ }
+ ...
+ if (E.change(ZPRIVS_LOWER))
+ f3;
+
+@@
+identifier change;
+expression E, f1, f2, f3, ret;
+iterator name frr_elevate_privs;
+@@
+
+ if (E.change(ZPRIVS_RAISE))
+ f1;
+ ...
+ if (...) {
+ ...
+- if (E.change(ZPRIVS_LOWER))
+- f2;
+ ...
+ return ret;
+ }
+ ...
+ if (E.change(ZPRIVS_LOWER))
+ f3;
+
+@@
+identifier change;
+expression E, f, g;
+iterator name frr_elevate_privs;
+@@
+
+- if (E.change(ZPRIVS_RAISE))
+- f;
++ frr_elevate_privs(&E) {
+ ...
+- if (E.change(ZPRIVS_LOWER))
+- g;
++ }
size_t needed, lastneeded = 0;
char *buf = NULL;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-
- sock = socket(af, SOCK_DGRAM, 0);
- if (sock < 0) {
- zlog_warn("Can't make %s socket stream: %s",
- (af == AF_INET ? "AF_INET" : "AF_INET6"),
- safe_strerror(errno));
+ frr_elevate_privs(&zserv_privs) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ sock = socket(af, SOCK_DGRAM, 0);
+ if (sock < 0) {
+ zlog_warn("Can't make %s socket stream: %s",
+ (af == AF_INET ? "AF_INET" : "AF_INET6"),
+ safe_strerror(errno));
- return -1;
- }
+ return -1;
+ }
calculate_lifc_len: /* must hold privileges to enter here */
- lifn.lifn_family = af;
- lifn.lifn_flags = LIFC_NOXMIT; /* we want NOXMIT interfaces too */
- ret = ioctl(sock, SIOCGLIFNUM, &lifn);
- save_errno = errno;
+ lifn.lifn_family = af;
+ lifn.lifn_flags = LIFC_NOXMIT; /* we want NOXMIT interfaces too */
+ ret = ioctl(sock, SIOCGLIFNUM, &lifn);
+ save_errno = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ }
if (ret < 0) {
zlog_warn("interface_list_ioctl: SIOCGLIFNUM failed %s",
ifdata.ifr_data = (caddr_t)&ecmd;
/* use ioctl to get IP address of an interface */
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- sd = vrf_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP, interface->vrf_id,
- NULL);
- if (sd < 0) {
- if (IS_ZEBRA_DEBUG_KERNEL)
- zlog_debug("Failure to read interface %s speed: %d %s",
- ifname, errno, safe_strerror(errno));
- return 0;
- }
+ frr_elevate_privs(&zserv_privs) {
+ sd = vrf_socket(PF_INET, SOCK_DGRAM, IPPROTO_IP,
+ interface->vrf_id,
+ NULL);
+ if (sd < 0) {
+ if (IS_ZEBRA_DEBUG_KERNEL)
+ zlog_debug("Failure to read interface %s speed: %d %s",
+ ifname, errno, safe_strerror(errno));
+ return 0;
+ }
/* Get the current link state for the interface */
- rc = vrf_ioctl(interface->vrf_id, sd, SIOCETHTOOL, (char *)&ifdata);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ rc = vrf_ioctl(interface->vrf_id, sd, SIOCETHTOOL, (char *)&ifdata);
+ }
if (rc < 0) {
if (IS_ZEBRA_DEBUG_KERNEL)
zlog_debug(
int ret;
int err = 0;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- sock = socket(AF_INET, SOCK_DGRAM, 0);
- if (sock < 0) {
- int save_errno = errno;
-
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- flog_err_sys(LIB_ERR_SOCKET, "Cannot create UDP socket: %s",
- safe_strerror(save_errno));
- exit(1);
+ frr_elevate_privs(&zserv_privs) {
+ sock = socket(AF_INET, SOCK_DGRAM, 0);
+ if (sock < 0) {
+ zlog_err("Cannot create UDP socket: %s",
+ safe_strerror(errno));
+ exit(1);
+ }
+ if ((ret = ioctl(sock, request, buffer)) < 0)
+ err = errno;
}
- if ((ret = ioctl(sock, request, buffer)) < 0)
- err = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
close(sock);
if (ret < 0) {
int ret;
int err = 0;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- sock = vrf_socket(AF_INET, SOCK_DGRAM, 0, vrf_id, NULL);
- if (sock < 0) {
- int save_errno = errno;
-
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- flog_err_sys(LIB_ERR_SOCKET, "Cannot create UDP socket: %s",
- safe_strerror(save_errno));
- exit(1);
+ frr_elevate_privs(&zserv_privs) {
+ sock = vrf_socket(AF_INET, SOCK_DGRAM, 0, vrf_id, NULL);
+ if (sock < 0) {
+ zlog_err("Cannot create UDP socket: %s",
+ safe_strerror(errno));
+ exit(1);
+ }
+ ret = vrf_ioctl(vrf_id, sock, request, buffer);
+ if (ret < 0)
+ err = errno;
}
- ret = vrf_ioctl(vrf_id, sock, request, buffer);
- if (ret < 0)
- err = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
close(sock);
if (ret < 0) {
int ret;
int err = 0;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- sock = socket(AF_INET6, SOCK_DGRAM, 0);
- if (sock < 0) {
- int save_errno = errno;
-
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- flog_err_sys(LIB_ERR_SOCKET,
- "Cannot create IPv6 datagram socket: %s",
- safe_strerror(save_errno));
- exit(1);
- }
+ frr_elevate_privs(&zserv_privs) {
+ sock = socket(AF_INET6, SOCK_DGRAM, 0);
+ if (sock < 0) {
+ zlog_err("Cannot create IPv6 datagram socket: %s",
+ safe_strerror(errno));
+ exit(1);
+ }
- if ((ret = ioctl(sock, request, buffer)) < 0)
- err = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ if ((ret = ioctl(sock, request, buffer)) < 0)
+ err = errno;
+ }
close(sock);
if (ret < 0) {
int ret;
int err;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-
- sock = socket(AF_INET, SOCK_DGRAM, 0);
- if (sock < 0) {
- int save_errno = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- flog_err_sys(LIB_ERR_SOCKET, "Cannot create UDP socket: %s",
- safe_strerror(save_errno));
- exit(1);
- }
+ frr_elevate_privs(&zserv_privs) {
+
+ sock = socket(AF_INET, SOCK_DGRAM, 0);
+ if (sock < 0) {
+ zlog_err("Cannot create UDP socket: %s",
+ safe_strerror(errno));
+ exit(1);
+ }
- if ((ret = ioctl(sock, request, buffer)) < 0)
- err = errno;
+ if ((ret = ioctl(sock, request, buffer)) < 0)
+ err = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ }
close(sock);
int ret;
int err;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
-
- sock = socket(AF_INET6, SOCK_DGRAM, 0);
- if (sock < 0) {
- int save_errno = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- flog_err_sys(LIB_ERR_SOCKET,
- "Cannot create IPv6 datagram socket: %s",
- safe_strerror(save_errno));
- exit(1);
- }
+ frr_elevate_privs(&zserv_privs) {
+
+ sock = socket(AF_INET6, SOCK_DGRAM, 0);
+ if (sock < 0) {
+ zlog_err("Cannot create IPv6 datagram socket: %s",
+ safe_strerror(errno));
+ exit(1);
+ }
- if ((ret = ioctl(sock, request, buffer)) < 0)
- err = errno;
+ if ((ret = ioctl(sock, request, buffer)) < 0)
+ err = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ }
close(sock);
{
FILE *fp;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&zserv_privs) {
- fp = fopen(proc_ipv4_forwarding, "w");
+ fp = fopen(proc_ipv4_forwarding, "w");
- if (fp == NULL) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "Can't lower privileges, %s",
- safe_strerror(errno));
- return -1;
- }
+ if (fp == NULL) {
+ return -1;
+ }
- fprintf(fp, "1\n");
+ fprintf(fp, "1\n");
- fclose(fp);
+ fclose(fp);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges, %s",
- safe_strerror(errno));
+ }
return ipforward();
}
{
FILE *fp;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&zserv_privs) {
- fp = fopen(proc_ipv4_forwarding, "w");
+ fp = fopen(proc_ipv4_forwarding, "w");
- if (fp == NULL) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "Can't lower privileges, %s",
- safe_strerror(errno));
- return -1;
- }
+ if (fp == NULL) {
+ return -1;
+ }
- fprintf(fp, "0\n");
+ fprintf(fp, "0\n");
- fclose(fp);
+ fclose(fp);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges, %s",
- safe_strerror(errno));
+ }
return ipforward();
}
{
FILE *fp;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&zserv_privs) {
- fp = fopen(proc_ipv6_forwarding, "w");
+ fp = fopen(proc_ipv6_forwarding, "w");
- if (fp == NULL) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "Can't lower privileges, %s",
- safe_strerror(errno));
- return -1;
- }
+ if (fp == NULL) {
+ return -1;
+ }
- fprintf(fp, "1\n");
+ fprintf(fp, "1\n");
- fclose(fp);
+ fclose(fp);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges, %s",
- safe_strerror(errno));
+ }
return ipforward_ipv6();
}
{
FILE *fp;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&zserv_privs) {
- fp = fopen(proc_ipv6_forwarding, "w");
+ fp = fopen(proc_ipv6_forwarding, "w");
- if (fp == NULL) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "Can't lower privileges, %s",
- safe_strerror(errno));
- return -1;
- }
+ if (fp == NULL) {
+ return -1;
+ }
- fprintf(fp, "0\n");
+ fprintf(fp, "0\n");
- fclose(fp);
+ fclose(fp);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges, %s",
- safe_strerror(errno));
+ }
return ipforward_ipv6();
}
strioctl.ic_len = ND_BUFFER_SIZE;
strioctl.ic_dp = nd_buf;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "solaris_nd: Can't raise privileges");
- if ((fd = open(device, O_RDWR)) < 0) {
- zlog_warn("failed to open device %s - %s", device,
- safe_strerror(errno));
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "solaris_nd: Can't lower privileges");
- return -1;
- }
- if (ioctl(fd, I_STR, &strioctl) < 0) {
- int save_errno = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "solaris_nd: Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ if ((fd = open(device, O_RDWR)) < 0) {
+ zlog_warn("failed to open device %s - %s", device,
+ safe_strerror(errno));
+ return -1;
+ }
+ if (ioctl(fd, I_STR, &strioctl) < 0) {
+ close(fd);
+ zlog_warn("ioctl I_STR failed on device %s - %s",
+ device,
+ safe_strerror(errno));
+ return -1;
+ }
close(fd);
- zlog_warn("ioctl I_STR failed on device %s - %s", device,
- safe_strerror(save_errno));
- return -1;
}
- close(fd);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "solaris_nd: Can't lower privileges");
if (cmd == ND_GET) {
errno = 0;
int ipforwarding = 1;
len = sizeof ipforwarding;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- if (sysctl(mib, MIB_SIZ, NULL, NULL, &ipforwarding, len) < 0) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- zlog_warn("Can't set ipforwarding on");
- return -1;
+ frr_elevate_privs(&zserv_privs) {
+ if (sysctl(mib, MIB_SIZ, NULL, NULL, &ipforwarding, len) < 0) {
+ zlog_warn("Can't set ipforwarding on");
+ return -1;
+ }
}
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
return ipforwarding;
}
int ipforwarding = 0;
len = sizeof ipforwarding;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- if (sysctl(mib, MIB_SIZ, NULL, NULL, &ipforwarding, len) < 0) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- zlog_warn("Can't set ipforwarding on");
- return -1;
+ frr_elevate_privs(&zserv_privs) {
+ if (sysctl(mib, MIB_SIZ, NULL, NULL, &ipforwarding, len) < 0) {
+ zlog_warn("Can't set ipforwarding on");
+ return -1;
+ }
}
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
return ipforwarding;
}
int ip6forwarding = 0;
len = sizeof ip6forwarding;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- if (sysctl(mib_ipv6, MIB_SIZ, &ip6forwarding, &len, 0, 0) < 0) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- zlog_warn("can't get ip6forwarding value");
- return -1;
+ frr_elevate_privs(&zserv_privs) {
+ if (sysctl(mib_ipv6, MIB_SIZ, &ip6forwarding, &len, 0, 0) < 0) {
+ zlog_warn("can't get ip6forwarding value");
+ return -1;
+ }
}
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
return ip6forwarding;
}
int ip6forwarding = 1;
len = sizeof ip6forwarding;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- if (sysctl(mib_ipv6, MIB_SIZ, NULL, NULL, &ip6forwarding, len) < 0) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- zlog_warn("can't get ip6forwarding value");
- return -1;
+ frr_elevate_privs(&zserv_privs) {
+ if (sysctl(mib_ipv6, MIB_SIZ, NULL, NULL, &ip6forwarding, len) < 0) {
+ zlog_warn("can't get ip6forwarding value");
+ return -1;
+ }
}
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
return ip6forwarding;
}
int ip6forwarding = 0;
len = sizeof ip6forwarding;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- if (sysctl(mib_ipv6, MIB_SIZ, NULL, NULL, &ip6forwarding, len) < 0) {
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
- zlog_warn("can't get ip6forwarding value");
- return -1;
+ frr_elevate_privs(&zserv_privs) {
+ if (sysctl(mib_ipv6, MIB_SIZ, NULL, NULL, &ip6forwarding, len) < 0) {
+ zlog_warn("can't get ip6forwarding value");
+ return -1;
+ }
}
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
return ip6forwarding;
}
int save_errno;
int sock;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "irdp_sock_init: could not raise privs, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&zserv_privs) {
- sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
- save_errno = errno;
+ sock = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
+ save_errno = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "irdp_sock_init: could not lower privs, %s",
- safe_strerror(errno));
+ }
if (sock < 0) {
zlog_warn("IRDP: can't create irdp socket %s",
}
/* Try force option (linux >= 2.6.14) and fall back to normal set */
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "routing_socket: Can't raise privileges");
- ret = setsockopt(nl->sock, SOL_SOCKET, SO_RCVBUFFORCE, &nl_rcvbufsize,
- sizeof(nl_rcvbufsize));
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "routing_socket: Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ ret = setsockopt(nl->sock, SOL_SOCKET, SO_RCVBUFFORCE,
+ &nl_rcvbufsize,
+ sizeof(nl_rcvbufsize));
+ }
if (ret < 0)
ret = setsockopt(nl->sock, SOL_SOCKET, SO_RCVBUF,
&nl_rcvbufsize, sizeof(nl_rcvbufsize));
n->nlmsg_flags);
/* Send message to netlink interface. */
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- status = sendmsg(nl->sock, &msg, 0);
- save_errno = errno;
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ status = sendmsg(nl->sock, &msg, 0);
+ save_errno = errno;
+ }
if (IS_ZEBRA_DEBUG_KERNEL_MSGDUMP_SEND) {
zlog_debug("%s: >> netlink message dump [sent]", __func__);
return DP_REQUEST_FAILURE;
}
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
+ frr_elevate_privs(&zserv_privs) {
- if (old)
- route |= kernel_rtm(RTM_DELETE, p, old);
+ if (old)
+ route |= kernel_rtm(RTM_DELETE, p, old);
- if (new)
- route |= kernel_rtm(RTM_ADD, p, new);
+ if (new)
+ route |= kernel_rtm(RTM_ADD, p, new);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ }
if (new) {
kernel_route_rib_pass_fail(
int ret = 0;
struct icmp6_filter filter;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES,
- "rtadv_make_socket: could not raise privs, %s",
- safe_strerror(errno));
+ frr_elevate_privs(&zserv_privs) {
- sock = ns_socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6, ns_id);
+ sock = ns_socket(AF_INET6, SOCK_RAW, IPPROTO_ICMPV6, ns_id);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES,
- "rtadv_make_socket: could not lower privs, %s",
- safe_strerror(errno));
+ }
if (sock < 0) {
return -1;
hdr.rtm_mpls = MPLS_OP_SWAP;
}
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- ret = writev(kr_state.fd, iov, iovcnt);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ ret = writev(kr_state.fd, iov, iovcnt);
+ }
if (ret == -1)
flog_err_sys(LIB_ERR_SOCKET, "%s: %s", __func__,
hdr.rtm_mpls = MPLS_OP_SWAP;
}
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- ret = writev(kr_state.fd, iov, iovcnt);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ ret = writev(kr_state.fd, iov, iovcnt);
+ }
if (ret == -1)
flog_err_sys(LIB_ERR_SOCKET, "%s: %s", __func__,
if (netnspath == NULL)
return;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- ns_id = zebra_ns_id_get(netnspath);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ ns_id = zebra_ns_id_get(netnspath);
+ }
if (ns_id == NS_UNKNOWN)
return;
ns_id_external = ns_map_nsid_with_external(ns_id, true);
ns_map_nsid_with_external(ns_id, false);
return;
}
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- ret = vrf_netns_handler_create(NULL, vrf, netnspath,
- ns_id_external, ns_id);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ ret = vrf_netns_handler_create(NULL, vrf, netnspath,
+ ns_id_external, ns_id);
+ }
if (ret != CMD_SUCCESS) {
zlog_warn("NS notify : failed to create NS %s", netnspath);
ns_map_nsid_with_external(ns_id, false);
netnspath = zns_info->netnspath;
if (--zns_info->retries == 0)
stop_retry = 1;
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- err = ns_switch_to_netns(netnspath);
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ err = ns_switch_to_netns(netnspath);
+ }
if (err < 0)
return zebra_ns_continue_read(zns_info, stop_retry);
/* go back to default ns */
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- err = ns_switchback_to_initial();
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ err = ns_switchback_to_initial();
+ }
if (err < 0)
return zebra_ns_continue_read(zns_info, stop_retry);
dzns = zebra_ns_alloc();
- if (zserv_privs.change(ZPRIVS_RAISE))
- flog_err(LIB_ERR_PRIVILEGES, "Can't raise privileges");
- ns_id = zebra_ns_id_get_default();
- if (zserv_privs.change(ZPRIVS_LOWER))
- flog_err(LIB_ERR_PRIVILEGES, "Can't lower privileges");
+ frr_elevate_privs(&zserv_privs) {
+ ns_id = zebra_ns_id_get_default();
+ }
ns_id_external = ns_map_nsid_with_external(ns_id, true);
ns_init_management(ns_id_external, ns_id);