svn commit: r363325 - in head/sys: kern net80211

Sun, 19 Jul 2020 08:17:02 -0700 

Author: adrian
Date: Sun Jul 19 15:16:27 2020
New Revision: 363325
URL: https://svnweb.freebsd.org/changeset/base/363325

Log:
  [net80211] Add new privileges; restrict what can be done in a jail.
  
  Split the MANAGE privilege into MANAGE, SETMAC and CREATE_VAP.
  
  + VAP_MANAGE is everything but setting the MAC and creating a VAP.
  + VAP_SETMAC is setting the MAC address of the VAP.
    Typically you wouldn't want the jail to be able to modify this.
  + CREATE_VAP is to create a new VAP. Again, you don't want to be doing
    this in a jail, but this DOES stop being able to run some corner
    cases like Dynamic WDS (DWDS) AP in a jail/vnet. We can figure this
    bit out later.
  
  This allows me to run wpa_supplicant in a jail after transferring
  a STA VAP into it. I unfortunately can't currently set the wlan
  debugging inside the jail; that would be super useful!
  
  Reviewed by:  bz
  Differential Revision:        https://reviews.freebsd.org/D25630

Modified:
  head/sys/kern/kern_jail.c
  head/sys/net80211/ieee80211_freebsd.c
  head/sys/net80211/ieee80211_ioctl.c

Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c   Sun Jul 19 14:42:13 2020        (r363324)
+++ head/sys/kern/kern_jail.c   Sun Jul 19 15:16:27 2020        (r363325)
@@ -3107,10 +3107,8 @@ prison_priv_check(struct ucred *cred, int priv)
                /*
                 * 802.11-related privileges.
                 */
-       case PRIV_NET80211_GETKEY:
-#ifdef notyet
-       case PRIV_NET80211_MANAGE:              /* XXX-BZ discuss with sam@ */
-#endif
+       case PRIV_NET80211_VAP_GETKEY:
+       case PRIV_NET80211_VAP_MANAGE:
 
 #ifdef notyet
                /*

Modified: head/sys/net80211/ieee80211_freebsd.c
==============================================================================
--- head/sys/net80211/ieee80211_freebsd.c       Sun Jul 19 14:42:13 2020        
(r363324)
+++ head/sys/net80211/ieee80211_freebsd.c       Sun Jul 19 15:16:27 2020        
(r363325)
@@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$");
 #include <sys/malloc.h>
 #include <sys/mbuf.h>   
 #include <sys/module.h>
+#include <sys/priv.h>
 #include <sys/proc.h>
 #include <sys/sysctl.h>
 
@@ -81,6 +82,10 @@ wlan_clone_create(struct if_clone *ifc, int unit, cadd
        struct ieee80211vap *vap;
        struct ieee80211com *ic;
        int error;
+
+       error = priv_check(curthread, PRIV_NET80211_CREATE_VAP);
+       if (error)
+               return error;
 
        error = copyin(params, &cp, sizeof(cp));
        if (error)

Modified: head/sys/net80211/ieee80211_ioctl.c
==============================================================================
--- head/sys/net80211/ieee80211_ioctl.c Sun Jul 19 14:42:13 2020        
(r363324)
+++ head/sys/net80211/ieee80211_ioctl.c Sun Jul 19 15:16:27 2020        
(r363325)
@@ -106,7 +106,8 @@ ieee80211_ioctl_getkey(struct ieee80211vap *vap, struc
        ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV);
        if (wk->wk_keyix == vap->iv_def_txkey)
                ik.ik_flags |= IEEE80211_KEY_DEFAULT;
-       if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) {
+       /* XXX TODO: move priv check to ieee80211_freebsd.c */
+       if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) {
                /* NB: only root can read key data */
                ik.ik_keyrsc = wk->wk_keyrsc[IEEE80211_NONQOS_TID];
                ik.ik_keytsc = wk->wk_keytsc;
@@ -815,7 +816,8 @@ ieee80211_ioctl_get80211(struct ieee80211vap *vap, u_l
                        return EINVAL;
                len = (u_int) vap->iv_nw_keys[kid].wk_keylen;
                /* NB: only root can read WEP keys */
-               if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) {
+               /* XXX TODO: move priv check to ieee80211_freebsd.c */
+               if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) {
                        bcopy(vap->iv_nw_keys[kid].wk_key, tmpkey, len);
                } else {
                        bzero(tmpkey, len);
@@ -3636,7 +3638,8 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t
                                (struct ieee80211req *) data);
                break;
        case SIOCS80211:
-               error = priv_check(curthread, PRIV_NET80211_MANAGE);
+               /* XXX TODO: move priv check to ieee80211_freebsd.c */
+               error = priv_check(curthread, PRIV_NET80211_VAP_MANAGE);
                if (error == 0)
                        error = ieee80211_ioctl_set80211(vap, cmd,
                                        (struct ieee80211req *) data);
@@ -3681,6 +3684,12 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t
                        break;
                }
                break;
+       case SIOCSIFLLADDR:
+               /* XXX TODO: move priv check to ieee80211_freebsd.c */
+               error = priv_check(curthread, PRIV_NET80211_VAP_SETMAC);
+               if (error == 0)
+                       break;
+               /* Fallthrough */
        default:
                /*
                 * Pass unknown ioctls first to the driver, and if it
_______________________________________________
svn-src-head@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-head
To unsubscribe, send any mail to "svn-src-head-unsubscr...@freebsd.org"

Reply via email to