import frr-8.3.1-10.el9

1 year ago · bbfd16ed77
parent 7ffefebdf7
commit bbfd16ed77
10 changed files with 686 additions and 5 deletions
--- a/.frr.metadata
+++ b/.frr.metadata
@ -1,2 +1 @@
 467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz
 e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1 @@
 SOURCES/frr-8.3.1.tar.gz
 SOURCES/frr.if
--- a/SOURCES/0004-fips-mode.patch
+++ b/SOURCES/0004-fips-mode.patch
@ -101,3 +101,15 @@ index 5bb81ef..02a09ef 100644
 	nb_cli_enqueue_change(vty, "./authentication-scheme/mode", NB_OP_MODIFY,
 			      strmatch(mode, "md5") ? "md5" : "plain-text");
 	if (strmatch(mode, "md5"))
 diff --git a/lib/zebra.h b/lib/zebra.h
 index 53ae5b4..930307f 100644
 --- a/lib/zebra.h
 +++ b/lib/zebra.h
@@ -114,6 +114,7 @@
 #ifdef CRYPTO_OPENSSL
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 +#include <openssl/fips.h>
 #endif
 #include "openbsd-tree.h"
--- a/SOURCES/0009-CVE-2022-36440-40302.patch
+++ b/SOURCES/0009-CVE-2022-36440-40302.patch
@ -0,0 +1,59 @@
 From 3e46b43e3788f0f87bae56a86b54d412b4710286 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 30 Sep 2022 08:51:45 -0400
 Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
 peek_for_as4_capability
 In peek_for_as4_capability the code is checking that the
 stream has at least 2 bytes to read ( the opt_type and the
 opt_length ).  However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 is configured then FRR is reading 3 bytes.  Which is not good
 since the packet could be badly formated.  Ensure that
 FRR has the appropriate data length to read the data.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_open.c | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)
 diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
 index 7248f034a5a..a760a7ca013 100644
 --- a/bgpd/bgp_open.c
 +++ b/bgpd/bgp_open.c
@@ -1185,15 +1185,30 @@ as_t peek_for_as4_capability(struct peer *peer, uint16_t length)
 		uint8_t opt_type;
 		uint16_t opt_length;
 -		/* Check the length. */
 -		if (stream_get_getp(s) + 2 > end)
 +		/* Ensure we can read the option type */
 +		if (stream_get_getp(s) + 1 > end)
 			goto end;
 -		/* Fetch option type and length. */
 +		/* Fetch the option type */
 		opt_type = stream_getc(s);
 -		opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 -				     ? stream_getw(s)
 -				     : stream_getc(s);
 +
 +		/*
 +		 * Check the length and fetch the opt_length
 +		 * If the peer is BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 +		 * then we do a getw which is 2 bytes.  So we need to
 +		 * ensure that we can read that as well
 +		 */
 +		if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
 +			if (stream_get_getp(s) + 2 > end)
 +				goto end;
 +
 +			opt_length = stream_getw(s);
 +		} else {
 +			if (stream_get_getp(s) + 1 > end)
 +				goto end;
 +
 +			opt_length = stream_getc(s);
 +		}
 		/* Option length check. */
 		if (stream_get_getp(s) + opt_length > end)
--- a/SOURCES/0010-CVE-2022-43681.patch
+++ b/SOURCES/0010-CVE-2022-43681.patch
@ -0,0 +1,47 @@
 From 766eec1b7accffe2c04a5c9ebb14e9f487bb9f78 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Wed, 2 Nov 2022 13:24:48 -0400
 Subject: [PATCH] bgpd: Ensure that bgp open message stream has enough data to
 read
 If a operator receives an invalid packet that is of insufficient size
 then it is possible for BGP to assert during reading of the packet
 instead of gracefully resetting the connection with the peer.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_packet.c | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)
 diff --git a/bgpd/bgp_packet.c b/bgpd/bgp_packet.c
 index 769f9613da8..72d6a923175 100644
 --- a/bgpd/bgp_packet.c
 +++ b/bgpd/bgp_packet.c
@@ -1386,8 +1386,27 @@ static int bgp_open_receive(struct peer *peer, bgp_size_t size)
 	    || CHECK_FLAG(peer->flags, PEER_FLAG_EXTENDED_OPT_PARAMS)) {
 		uint8_t opttype;
 +		if (STREAM_READABLE(peer->curr) < 1) {
 +			flog_err(
 +				EC_BGP_PKT_OPEN,
 +				"%s: stream does not have enough bytes for extended optional parameters",
 +				peer->host);
 +			bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 +					BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 +			return BGP_Stop;
 +		}
 +
 		opttype = stream_getc(peer->curr);
 		if (opttype == BGP_OPEN_NON_EXT_OPT_TYPE_EXTENDED_LENGTH) {
 +			if (STREAM_READABLE(peer->curr) < 2) {
 +				flog_err(
 +					EC_BGP_PKT_OPEN,
 +					"%s: stream does not have enough bytes to read the extended optional parameters optlen",
 +					peer->host);
 +				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 +						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 +				return BGP_Stop;
 +			}
 			optlen = stream_getw(peer->curr);
 			SET_FLAG(peer->sflags,
 				 PEER_STATUS_EXT_OPT_PARAMS_LENGTH);
--- a/SOURCES/0011-CVE-2022-40318.patch
+++ b/SOURCES/0011-CVE-2022-40318.patch
@ -0,0 +1,70 @@
 From 1117baca3c592877a4d8a13ed6a1d9bd83977487 Mon Sep 17 00:00:00 2001
 From: Donald Sharp <sharpd@nvidia.com>
 Date: Fri, 30 Sep 2022 08:57:43 -0400
 Subject: [PATCH] bgpd: Ensure FRR has enough data to read 2 bytes in
 bgp_open_option_parse
 In bgp_open_option_parse the code is checking that the
 stream has at least 2 bytes to read ( the opt_type and
 the opt_length).  However if BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 is configured then FRR is reading 3 bytes.  Which is not good
 since the packet could be badly formateed.  Ensure that
 FRR has the appropriate data length to read the data.
 Signed-off-by: Donald Sharp <sharpd@nvidia.com>
 ---
 bgpd/bgp_open.c | 35 ++++++++++++++++++++++++++++-------
 1 file changed, 28 insertions(+), 7 deletions(-)
 diff --git a/bgpd/bgp_open.c b/bgpd/bgp_open.c
 index a760a7ca013..d1667fac261 100644
 --- a/bgpd/bgp_open.c
 +++ b/bgpd/bgp_open.c
@@ -1278,19 +1278,40 @@ int bgp_open_option_parse(struct peer *peer, uint16_t length,
 		uint8_t opt_type;
 		uint16_t opt_length;
 -		/* Must have at least an OPEN option header */
 -		if (STREAM_READABLE(s) < 2) {
 +		/*
 +		 * Check that we can read the opt_type and fetch it
 +		 */
 +		if (STREAM_READABLE(s) < 1) {
 			zlog_info("%s Option length error", peer->host);
 			bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 					BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 			return -1;
 		}
 -
 -		/* Fetch option type and length. */
 		opt_type = stream_getc(s);
 -		opt_length = BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)
 -				     ? stream_getw(s)
 -				     : stream_getc(s);
 +
 +		/*
 +		 * Check the length of the stream to ensure that
 +		 * FRR can properly read the opt_length. Then read it
 +		 */
 +		if (BGP_OPEN_EXT_OPT_PARAMS_CAPABLE(peer)) {
 +			if (STREAM_READABLE(s) < 2) {
 +				zlog_info("%s Option length error", peer->host);
 +				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 +						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 +				return -1;
 +			}
 +
 +			opt_length = stream_getw(s);
 +		} else {
 +			if (STREAM_READABLE(s) < 1) {
 +				zlog_info("%s Option length error", peer->host);
 +				bgp_notify_send(peer, BGP_NOTIFY_OPEN_ERR,
 +						BGP_NOTIFY_OPEN_MALFORMED_ATTR);
 +				return -1;
 +			}
 +
 +			opt_length = stream_getc(s);
 +		}
 		/* Option length check. */
 		if (STREAM_READABLE(s) < opt_length) {
--- a/SOURCES/0012-bfd-not-working-in-vrf.patch
+++ b/SOURCES/0012-bfd-not-working-in-vrf.patch
@ -0,0 +1,255 @@
 From edc3f63167fd95e4e70287743c9b252415c9336e Mon Sep 17 00:00:00 2001
 From: Philippe Guibert <philippe.guibert@6wind.com>
 Date: Thu, 7 Jul 2022 14:33:48 +0200
 Subject: [PATCH] bfdd: allow l3vrf bfd sessions without udp leaking
 Until now, when in vrf-lite mode, the BFD implementation
 creates a single UDP socket and relies on the following
 sysctl value to 1:
 echo 1 > /proc/sys/net/ipv4/udp_l3mdev_accept
 With this setting, the incoming BFD packets from a given
 vrf, would leak to the default vrf, and would match the
 UDP socket.
 The drawback of this solution is that udp packets received
 on a given vrf may leak to an other vrf. This may be a
 security concern.
 The commit addresses this issue by avoiding this leak
 mechanism. An UDP socket is created for each vrf, and each
 socket uses new setsockopt option: SO_REUSEADDR + SO_REUSEPORT.
 With this option, the incoming UDP packets are distributed on
 the available sockets. The impact of those options with l3mdev
 devices is unknown. It has been observed that this option is not
 needed, until the default vrf sockets are created.
 To ensure the BFD packets are correctly routed to the appropriate
 socket, a BPF filter has been put in place and attached to the
 sockets : SO_ATTACH_REUSEPORT_CBPF. This option adds a criterium
 to force the packet to choose a given socket. If initial criteria
 from the default distribution algorithm were not good, at least
 two sockets would be available, and the CBPF would force the
 selection to the same socket. This would come to the situation
 where an incoming packet would be processed on a different vrf.
 The bpf code is the following one:
 struct sock_filter code[] = {
 { BPF_RET | BPF_K, 0, 0, 0 },
 };
 struct sock_fprog p = {
          .len = sizeof(code)/sizeof(struct sock_filter),
          .filter = code,
 };
 if (setsockopt(sd, SOL_SOCKET, SO_ATTACH_REUSEPORT_CBPF, &p, sizeof(p))) {
        zlog_warn("unable to set SO_ATTACH_REUSEPORT_CBPF on socket: %s",
                  strerror(errno));
        return -1;
 }
 Some tests have been done with by creating vrf contexts, and by using
 the below vtysh configuration:
 ip route 2.2.2.2/32 10.126.0.2
 vrf vrf2
 ip route 2.2.2.2/32 10.126.0.2
 !
 interface ntfp2
 ip address 10.126.0.1/24
 !
 interface ntfp3 vrf vrf4
 ip address 10.126.0.1/24
 !
 interface ntfp2 vrf vrf1
 ip address 10.126.0.1/24
 !
 interface ntfp2.100 vrf vrf2
 ip address 10.126.0.1/24
 !
 interface ntfp2.200 vrf vrf3
 ip address 10.126.0.1/24
 !
 line vty
 !
 bfd
 peer 10.126.0.2 vrf vrf2
 !
 peer 10.126.0.2 vrf vrf3
 !
 peer 10.126.0.2
 !
 peer 10.126.0.2 vrf vrf4
 !
 peer 2.2.2.2 multihop local-address 1.1.1.1
 !
 peer 2.2.2.2 multihop local-address 1.1.1.1 vrf vrf2
  transmit-interval 1500
  receive-interval 1500
 !
 The results showed no issue related to packets received by
 the wrong vrf. Even changing the udp_l3mdev_accept flag to
 1 did not change the test results.
 Signed-off-by: Philippe Guibert <philippe.guibert@6wind.com>
 ---
 bfdd/bfd.c        | 66 +++++++++++++++++++++++------------------------
 bfdd/bfd_packet.c | 45 ++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+), 34 deletions(-)
 diff --git a/bfdd/bfd.c b/bfdd/bfd.c
 index 483beb1b17c..a1619263588 100644
 --- a/bfdd/bfd.c
 +++ b/bfdd/bfd.c
@@ -1950,40 +1950,38 @@ static int bfd_vrf_enable(struct vrf *vrf)
 	if (bglobal.debug_zebra)
 		zlog_debug("VRF enable add %s id %u", vrf->name, vrf->vrf_id);
 -	if (vrf->vrf_id == VRF_DEFAULT ||
 -	    vrf_get_backend() == VRF_BACKEND_NETNS) {
 -		if (!bvrf->bg_shop)
 -			bvrf->bg_shop = bp_udp_shop(vrf);
 -		if (!bvrf->bg_mhop)
 -			bvrf->bg_mhop = bp_udp_mhop(vrf);
 -		if (!bvrf->bg_shop6)
 -			bvrf->bg_shop6 = bp_udp6_shop(vrf);
 -		if (!bvrf->bg_mhop6)
 -			bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
 -		if (!bvrf->bg_echo)
 -			bvrf->bg_echo = bp_echo_socket(vrf);
 -		if (!bvrf->bg_echov6)
 -			bvrf->bg_echov6 = bp_echov6_socket(vrf);
 -
 -		if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_shop, &bvrf->bg_ev[0]);
 -		if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_mhop, &bvrf->bg_ev[1]);
 -		if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_shop6, &bvrf->bg_ev[2]);
 -		if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_mhop6, &bvrf->bg_ev[3]);
 -		if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_echo, &bvrf->bg_ev[4]);
 -		if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1)
 -			thread_add_read(master, bfd_recv_cb, bvrf,
 -					bvrf->bg_echov6, &bvrf->bg_ev[5]);
 -	}
 +	if (!bvrf->bg_shop)
 +		bvrf->bg_shop = bp_udp_shop(vrf);
 +	if (!bvrf->bg_mhop)
 +		bvrf->bg_mhop = bp_udp_mhop(vrf);
 +	if (!bvrf->bg_shop6)
 +		bvrf->bg_shop6 = bp_udp6_shop(vrf);
 +	if (!bvrf->bg_mhop6)
 +		bvrf->bg_mhop6 = bp_udp6_mhop(vrf);
 +	if (!bvrf->bg_echo)
 +		bvrf->bg_echo = bp_echo_socket(vrf);
 +	if (!bvrf->bg_echov6)
 +		bvrf->bg_echov6 = bp_echov6_socket(vrf);
 +
 +	if (!bvrf->bg_ev[0] && bvrf->bg_shop != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop,
 +				&bvrf->bg_ev[0]);
 +	if (!bvrf->bg_ev[1] && bvrf->bg_mhop != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop,
 +				&bvrf->bg_ev[1]);
 +	if (!bvrf->bg_ev[2] && bvrf->bg_shop6 != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_shop6,
 +				&bvrf->bg_ev[2]);
 +	if (!bvrf->bg_ev[3] && bvrf->bg_mhop6 != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_mhop6,
 +				&bvrf->bg_ev[3]);
 +	if (!bvrf->bg_ev[4] && bvrf->bg_echo != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echo,
 +				&bvrf->bg_ev[4]);
 +	if (!bvrf->bg_ev[5] && bvrf->bg_echov6 != -1)
 +		thread_add_read(master, bfd_recv_cb, bvrf, bvrf->bg_echov6,
 +				&bvrf->bg_ev[5]);
 +
 	if (vrf->vrf_id != VRF_DEFAULT) {
 		bfdd_zclient_register(vrf->vrf_id);
 		bfdd_sessions_enable_vrf(vrf);
 diff --git a/bfdd/bfd_packet.c b/bfdd/bfd_packet.c
 index d34d6427628..054a9bfbf21 100644
 --- a/bfdd/bfd_packet.c
 +++ b/bfdd/bfd_packet.c
@@ -876,6 +876,14 @@ void bfd_recv_cb(struct thread *t)
 			 "no session found");
 		return;
 	}
 +	/*
 +	 * We may have a situation where received packet is on wrong vrf
 +	 */
 +	if (bfd && bfd->vrf && bfd->vrf != bvrf->vrf) {
 +		cp_debug(is_mhop, &peer, &local, ifindex, vrfid,
 +			 "wrong vrfid.");
 +		return;
 +	}
 	/* Ensure that existing good sessions are not overridden. */
 	if (!cp->discrs.remote_discr && bfd->ses_state != PTM_BFD_DOWN &&
@@ -1208,10 +1216,41 @@ int bp_set_tos(int sd, uint8_t value)
 	return 0;
 }
 +static bool bp_set_reuse_addr(int sd)
 +{
 +	int one = 1;
 +
 +	if (setsockopt(sd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) == -1) {
 +		zlog_warn("set-reuse-addr: setsockopt(SO_REUSEADDR, %d): %s",
 +			  one, strerror(errno));
 +		return false;
 +	}
 +	return true;
 +}
 +
 +static bool bp_set_reuse_port(int sd)
 +{
 +	int one = 1;
 +
 +	if (setsockopt(sd, SOL_SOCKET, SO_REUSEPORT, &one, sizeof(one)) == -1) {
 +		zlog_warn("set-reuse-port: setsockopt(SO_REUSEPORT, %d): %s",
 +			  one, strerror(errno));
 +		return false;
 +	}
 +	return true;
 +}
 +
 +
 static void bp_set_ipopts(int sd)
 {
 	int rcvttl = BFD_RCV_TTL_VAL;
 +	if (!bp_set_reuse_addr(sd))
 +		zlog_fatal("set-reuse-addr: failed");
 +
 +	if (!bp_set_reuse_port(sd))
 +		zlog_fatal("set-reuse-port: failed");
 +
 	if (bp_set_ttl(sd, BFD_TTL_VAL) != 0)
 		zlog_fatal("set-ipopts: TTL configuration failed");
@@ -1453,6 +1492,12 @@ static void bp_set_ipv6opts(int sd)
 	int ipv6_pktinfo = BFD_IPV6_PKT_INFO_VAL;
 	int ipv6_only = BFD_IPV6_ONLY_VAL;
 +	if (!bp_set_reuse_addr(sd))
 +		zlog_fatal("set-reuse-addr: failed");
 +
 +	if (!bp_set_reuse_port(sd))
 +		zlog_fatal("set-reuse-port: failed");
 +
 	if (bp_set_ttlv6(sd, BFD_TTL_VAL) == -1)
 		zlog_fatal(
 			"set-ipv6opts: setsockopt(IPV6_UNICAST_HOPS, %d): %s",
--- a/SOURCES/frr.if
+++ b/SOURCES/frr.if
@ -0,0 +1,214 @@
 ## <summary>policy for frr</summary>
 ########################################
 ## <summary>
 ##	Execute frr_exec_t in the frr domain.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`frr_domtrans',`
 	gen_require(`
 		type frr_t, frr_exec_t;
 	')
 	corecmd_search_bin($1)
 	domtrans_pattern($1, frr_exec_t, frr_t)
 ')
 ######################################
 ## <summary>
 ##	Execute frr in the caller domain.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`frr_exec',`
 	gen_require(`
 		type frr_exec_t;
 	')
 	corecmd_search_bin($1)
 	can_exec($1, frr_exec_t)
 ')
 ########################################
 ## <summary>
 ##	Read frr's log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`frr_read_log',`
 	gen_require(`
 		type frr_log_t;
 	')
 	read_files_pattern($1, frr_log_t, frr_log_t)
 	optional_policy(`
 		logging_search_logs($1)
 	')
 ')
 ########################################
 ## <summary>
 ##	Append to frr log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`frr_append_log',`
 	gen_require(`
 		type frr_log_t;
 	')
 	append_files_pattern($1, frr_log_t, frr_log_t)
 	optional_policy(`
 		logging_search_logs($1)
 	')
 ')
 ########################################
 ## <summary>
 ##	Manage frr log files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`frr_manage_log',`
 	gen_require(`
 		type frr_log_t;
 	')
 	manage_dirs_pattern($1, frr_log_t, frr_log_t)
 	manage_files_pattern($1, frr_log_t, frr_log_t)
 	manage_lnk_files_pattern($1, frr_log_t, frr_log_t)
 	optional_policy(`
 		logging_search_logs($1)
 	')
 ')
 ########################################
 ## <summary>
 ##	Read frr PID files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`frr_read_pid_files',`
 	gen_require(`
 		type frr_var_run_t;
 	')
 	files_search_pids($1)
 	read_files_pattern($1, frr_var_run_t, frr_var_run_t)
 ')
 ########################################
 ## <summary>
 ##	All of the rules required to administrate
 ##	an frr environment
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`frr_admin',`
 	gen_require(`
 		type frr_t;
 		type frr_log_t;
 		type frr_var_run_t;
 	')
 	allow $1 frr_t:process { signal_perms };
 	ps_process_pattern($1, frr_t)
 	tunable_policy(`deny_ptrace',`',`
 		allow $1 frr_t:process ptrace;
 	')
 	admin_pattern($1, frr_log_t)
 	files_search_pids($1)
 	admin_pattern($1, frr_var_run_t)
 	optional_policy(`
 		logging_search_logs($1)
 	')
 	optional_policy(`
 		systemd_passwd_agent_exec($1)
 		systemd_read_fifo_file_passwd_run($1)
 	')
 ')
 ########################################
 #
 # Interface compatibility blocks
 #
 # The following definitions ensure compatibility with distribution policy
 # versions that do not contain given interfaces (epel, or older Fedora
 # releases).
 # Each block tests for existence of given interface and defines it if needed.
 #
 ######################################
 ## <summary>
 ##	Watch ifconfig_var_run_t directories
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 ifndef(`sysnet_watch_ifconfig_run',`
 	interface(`sysnet_watch_ifconfig_run',`
 		gen_require(`
 			type ifconfig_var_run_t;
 		')
 		watch_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
 	')
 ')
 ########################################
 ## <summary>
 ##	Read ifconfig_var_run_t files and link files
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##      Domain allowed access.
 ##	</summary>
 ## </param>
 #
 ifndef(`sysnet_read_ifconfig_run',`
 	interface(`sysnet_read_ifconfig_run',`
 		gen_require(`
 			type ifconfig_var_run_t;
 		')
 		list_dirs_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
 		read_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
 		read_lnk_files_pattern($1, ifconfig_var_run_t, ifconfig_var_run_t)
 	')
 ')
--- a/SOURCES/frr.te
+++ b/SOURCES/frr.te
@ -31,9 +31,9 @@ files_pid_file(frr_var_run_t)
 #
 # frr local policy
 #
-allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin };
+allow frr_t self:capability { chown dac_override dac_read_search kill net_bind_service net_raw setgid setuid net_admin sys_admin };
 allow frr_t self:netlink_route_socket rw_netlink_socket_perms;
-allow frr_t self:packet_socket create;
+allow frr_t self:packet_socket create_socket_perms;
 allow frr_t self:process { setcap setpgid };
 allow frr_t self:rawip_socket create_socket_perms;
 allow frr_t self:tcp_socket { connect connected_stream_socket_perms };
@ -95,6 +95,10 @@ domain_use_interactive_fds(frr_t)
 fs_read_nsfs_files(frr_t)
 sysnet_exec_ifconfig(frr_t)
 sysnet_read_ifconfig_run(frr_t)
 sysnet_watch_ifconfig_run(frr_t)
 ipsec_domtrans_mgmt(frr_t)
 userdom_read_admin_home_files(frr_t)
--- a/SPECS/frr.spec
+++ b/SPECS/frr.spec
@ -7,7 +7,7 @@
 Name: frr
 Version: 8.3.1
-Release: 5%{?checkout}%{?dist}
+Release: 10%{?checkout}%{?dist}
 Summary: Routing daemon
 License: GPLv2+
 URL: http://www.frrouting.org
@ -71,6 +71,10 @@ Patch0005: 0005-ospf-api.patch
 Patch0006: 0006-graceful-restart.patch
 Patch0007: 0007-cve-2022-37032.patch
 Patch0008: 0008-frr-non-root-user.patch
 Patch0009: 0009-CVE-2022-36440-40302.patch
 Patch0010: 0010-CVE-2022-43681.patch
 Patch0011: 0011-CVE-2022-40318.patch
 Patch0012: 0012-bfd-not-working-in-vrf.patch
 %description
 FRRouting is free software that manages TCP/IP based routing protocols. It takes
@ -276,6 +280,24 @@ make check PYTHON=%{__python3}
 %endif
 %changelog
 * Thu Aug 10 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-10
 - Related: #2216912 - adding sys_admin to capabilities
 * Tue Aug 08 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-9
 - Resolves: #2215346 - frr policy does not allow the execution of /usr/sbin/ipsec
 * Mon Aug 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-8
 - Resolves: #2216912 - SELinux is preventing FRR-Zebra to access to network namespaces
 * Wed Jun 07 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-7
 - Resolves: #2168855 - BFD not working through VRF
 * Tue May 23 2023 Michal Ruprich <mruprich@redhat.com> - 8.3.1-6
 - Resolves: #2184870 - Reachable assertion in peek_for_as4_capability function
 - Resolves: #2196795 - denial of service by crafting a BGP OPEN message with an option of type 0xff
 - Resolves: #2196796 - denial of service by crafting a BGP OPEN message with an option of type 0xff
 - Resolves: #2196794 - out-of-bounds read exists in the BGP daemon of FRRouting
 * Mon Nov 28 2022 Michal Ruprich <mruprich@redhat.com> - 8.3.1-5
 - Resolves: #2147522 - It is not possible to run FRR as a non-root user
`@ -1,2 +1 @@`
	`467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz`	`467835eb73a6018948fd667663ce68282cf6d16b SOURCES/frr-8.3.1.tar.gz`
	`e25979fad0e873cd0196e528cae570ba18c11a8f SOURCES/frr.if`
`@ -1,2 +1 @@`
	`SOURCES/frr-8.3.1.tar.gz`	`SOURCES/frr-8.3.1.tar.gz`
	`SOURCES/frr.if`