PATCH: IO: Avoid calling SO_BINDTODEVICE if not needed

Christian Svensson christian at cmd.nu
Sat Jul 27 11:44:52 CEST 2024 

Since Linux 5.7 (see linux/c427bfec18f21) non-root users are allowed to
bind a socket using SO_BINDTODEVICE as long as the socket is not already
bound.

When using BGP with VRFs, BIRD correctly binds the listening socket to
the VRF but also re-binds the accept()'d socket to the same VRF.
This is not needed as the interface bind is inherited in this case, and
indeed this redundant bind causes an -EPERM if BIRD is running as non-root
making BIRD close the connection and reject the peer.

We change the behaviour of the generic sk_setup to first query the socket
and see if the socket is already correctly bound, and call
setsockopt(SO_BINDTODEVICE) iff it is truly needed. In addition,
since the getsockopt(SO_BINDTODEVICE) was implemented in Linux 3.8 or
otherwise might be blocked in existing installations, we quietly fall
back to the previous behavior if the getsockopt call fails.

Test case:
 Run BIRD as a non-root user (and no extra capabilities) using passive
 BGP inside a VRF. Before the patch observe the error:
 "<ERR> SOCK: Incoming connection: SO_BINDTODEVICE: Operation not permitted"

  protocol bgp AS1234_1 {
    [..]
    vrf "VrfTest";
    passive on;
  }

 After the patch this works as expected.

Patch is attached to this message but if it falls off it can also be found
at:
https://github.com/sonix-network/bird/blob/33a0ac4b5af38d3bf75c78ca62472fff1663945e/patches/0001-IO-Avoid-calling-SO_BINDTODEVICE-if-not-needed.patch

There is also a simple utility to test the behavior of rebinding sockets at:
https://github.com/sonix-network/bird/blob/33a0ac4b5af38d3bf75c78ca62472fff1663945e/patches/0001-IO-Avoid-calling-SO_BINDTODEVICE-if-not-needed.repro.c

Thanks for your consideration,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-IO-Avoid-calling-SO_BINDTODEVICE-if-not-needed.patch
Type: text/x-patch
Size: 2696 bytes
Desc: not available
URL: <http://trubka.network.cz/pipermail/bird-users/attachments/20240727/f7faf739/attachment.bin>

More information about the Bird-users mailing list