Date: Sun, 19 Jul 2020 15:16:27 +0000 (UTC) From: Adrian Chadd <adrian@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r363325 - in head/sys: kern net80211 Message-ID: <202007191516.06JFGRHl057283@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: adrian Date: Sun Jul 19 15:16:27 2020 New Revision: 363325 URL: https://svnweb.freebsd.org/changeset/base/363325 Log: [net80211] Add new privileges; restrict what can be done in a jail. Split the MANAGE privilege into MANAGE, SETMAC and CREATE_VAP. + VAP_MANAGE is everything but setting the MAC and creating a VAP. + VAP_SETMAC is setting the MAC address of the VAP. Typically you wouldn't want the jail to be able to modify this. + CREATE_VAP is to create a new VAP. Again, you don't want to be doing this in a jail, but this DOES stop being able to run some corner cases like Dynamic WDS (DWDS) AP in a jail/vnet. We can figure this bit out later. This allows me to run wpa_supplicant in a jail after transferring a STA VAP into it. I unfortunately can't currently set the wlan debugging inside the jail; that would be super useful! Reviewed by: bz Differential Revision: https://reviews.freebsd.org/D25630 Modified: head/sys/kern/kern_jail.c head/sys/net80211/ieee80211_freebsd.c head/sys/net80211/ieee80211_ioctl.c Modified: head/sys/kern/kern_jail.c ============================================================================== --- head/sys/kern/kern_jail.c Sun Jul 19 14:42:13 2020 (r363324) +++ head/sys/kern/kern_jail.c Sun Jul 19 15:16:27 2020 (r363325) @@ -3107,10 +3107,8 @@ prison_priv_check(struct ucred *cred, int priv) /* * 802.11-related privileges. */ - case PRIV_NET80211_GETKEY: -#ifdef notyet - case PRIV_NET80211_MANAGE: /* XXX-BZ discuss with sam@ */ -#endif + case PRIV_NET80211_VAP_GETKEY: + case PRIV_NET80211_VAP_MANAGE: #ifdef notyet /* Modified: head/sys/net80211/ieee80211_freebsd.c ============================================================================== --- head/sys/net80211/ieee80211_freebsd.c Sun Jul 19 14:42:13 2020 (r363324) +++ head/sys/net80211/ieee80211_freebsd.c Sun Jul 19 15:16:27 2020 (r363325) @@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$"); #include <sys/malloc.h> #include <sys/mbuf.h> #include <sys/module.h> +#include <sys/priv.h> #include <sys/proc.h> #include <sys/sysctl.h> @@ -81,6 +82,10 @@ wlan_clone_create(struct if_clone *ifc, int unit, cadd struct ieee80211vap *vap; struct ieee80211com *ic; int error; + + error = priv_check(curthread, PRIV_NET80211_CREATE_VAP); + if (error) + return error; error = copyin(params, &cp, sizeof(cp)); if (error) Modified: head/sys/net80211/ieee80211_ioctl.c ============================================================================== --- head/sys/net80211/ieee80211_ioctl.c Sun Jul 19 14:42:13 2020 (r363324) +++ head/sys/net80211/ieee80211_ioctl.c Sun Jul 19 15:16:27 2020 (r363325) @@ -106,7 +106,8 @@ ieee80211_ioctl_getkey(struct ieee80211vap *vap, struc ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV); if (wk->wk_keyix == vap->iv_def_txkey) ik.ik_flags |= IEEE80211_KEY_DEFAULT; - if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) { + /* XXX TODO: move priv check to ieee80211_freebsd.c */ + if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) { /* NB: only root can read key data */ ik.ik_keyrsc = wk->wk_keyrsc[IEEE80211_NONQOS_TID]; ik.ik_keytsc = wk->wk_keytsc; @@ -815,7 +816,8 @@ ieee80211_ioctl_get80211(struct ieee80211vap *vap, u_l return EINVAL; len = (u_int) vap->iv_nw_keys[kid].wk_keylen; /* NB: only root can read WEP keys */ - if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) { + /* XXX TODO: move priv check to ieee80211_freebsd.c */ + if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) { bcopy(vap->iv_nw_keys[kid].wk_key, tmpkey, len); } else { bzero(tmpkey, len); @@ -3636,7 +3638,8 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t (struct ieee80211req *) data); break; case SIOCS80211: - error = priv_check(curthread, PRIV_NET80211_MANAGE); + /* XXX TODO: move priv check to ieee80211_freebsd.c */ + error = priv_check(curthread, PRIV_NET80211_VAP_MANAGE); if (error == 0) error = ieee80211_ioctl_set80211(vap, cmd, (struct ieee80211req *) data); @@ -3681,6 +3684,12 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t break; } break; + case SIOCSIFLLADDR: + /* XXX TODO: move priv check to ieee80211_freebsd.c */ + error = priv_check(curthread, PRIV_NET80211_VAP_SETMAC); + if (error == 0) + break; + /* Fallthrough */ default: /* * Pass unknown ioctls first to the driver, and if it
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202007191516.06JFGRHl057283>