From owner-svn-src-all@freebsd.org Thu Nov 5 12:17:51 2020 Return-Path: Delivered-To: svn-src-all@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id D04BB466C51; Thu, 5 Nov 2020 12:17:51 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4CRjG75bSHz4cMS; Thu, 5 Nov 2020 12:17:51 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id B31E313B36; Thu, 5 Nov 2020 12:17:51 +0000 (UTC) (envelope-from bz@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 0A5CHph0031440; Thu, 5 Nov 2020 12:17:51 GMT (envelope-from bz@FreeBSD.org) Received: (from bz@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 0A5CHpPI031438; Thu, 5 Nov 2020 12:17:51 GMT (envelope-from bz@FreeBSD.org) Message-Id: <202011051217.0A5CHpPI031438@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: bz set sender to bz@FreeBSD.org using -f From: "Bjoern A. Zeeb" Date: Thu, 5 Nov 2020 12:17:51 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-12@freebsd.org Subject: svn commit: r367378 - stable/12/sys/net80211 X-SVN-Group: stable-12 X-SVN-Commit-Author: bz X-SVN-Commit-Paths: stable/12/sys/net80211 X-SVN-Commit-Revision: 367378 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-all@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: "SVN commit messages for the entire src tree \(except for " user" and " projects" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 05 Nov 2020 12:17:51 -0000 Author: bz Date: Thu Nov 5 12:17:50 2020 New Revision: 367378 URL: https://svnweb.freebsd.org/changeset/base/367378 Log: MFC r366817: net80211: factor out the priv(9) checks into OS specifc code. Factor out the priv(9) checks into OS specifc code so other OSes can equally implement them. This sorts out those XXX in the net80211 code. We provide 3 arguments (cmd, vap, ifp) where available to the functions, in order to allow other OSes to use that data but also in case we'd add auditing to these check to have the information available. For now the arguments are marked __unused. PR: 249403 Modified: stable/12/sys/net80211/ieee80211_freebsd.c stable/12/sys/net80211/ieee80211_freebsd.h stable/12/sys/net80211/ieee80211_ioctl.c Directory Properties: stable/12/ (props changed) Modified: stable/12/sys/net80211/ieee80211_freebsd.c ============================================================================== --- stable/12/sys/net80211/ieee80211_freebsd.c Thu Nov 5 12:16:22 2020 (r367377) +++ stable/12/sys/net80211/ieee80211_freebsd.c Thu Nov 5 12:17:50 2020 (r367378) @@ -72,6 +72,42 @@ SYSCTL_INT(_net_wlan, OID_AUTO, debug, CTLFLAG_RW, &ie static const char wlanname[] = "wlan"; static struct if_clone *wlan_cloner; +/* + * priv(9) NET80211 checks. + * Return 0 if operation is allowed, E* (usually EPERM) otherwise. + */ +int +ieee80211_priv_check_vap_getkey(u_long cmd __unused, + struct ieee80211vap *vap __unused, struct ifnet *ifp __unused) +{ + + return (priv_check(curthread, PRIV_NET80211_VAP_GETKEY)); +} + +int +ieee80211_priv_check_vap_manage(u_long cmd __unused, + struct ieee80211vap *vap __unused, struct ifnet *ifp __unused) +{ + + return (priv_check(curthread, PRIV_NET80211_VAP_MANAGE)); +} + +int +ieee80211_priv_check_vap_setmac(u_long cmd __unused, + struct ieee80211vap *vap __unused, struct ifnet *ifp __unused) +{ + + return (priv_check(curthread, PRIV_NET80211_VAP_SETMAC)); +} + +int +ieee80211_priv_check_create_vap(u_long cmd __unused, + struct ieee80211vap *vap __unused, struct ifnet *ifp __unused) +{ + + return (priv_check(curthread, PRIV_NET80211_CREATE_VAP)); +} + static int wlan_clone_create(struct if_clone *ifc, int unit, caddr_t params) { @@ -80,7 +116,7 @@ wlan_clone_create(struct if_clone *ifc, int unit, cadd struct ieee80211com *ic; int error; - error = priv_check(curthread, PRIV_NET80211_CREATE_VAP); + error = ieee80211_priv_check_create_vap(0, NULL, NULL); if (error) return error; Modified: stable/12/sys/net80211/ieee80211_freebsd.h ============================================================================== --- stable/12/sys/net80211/ieee80211_freebsd.h Thu Nov 5 12:16:22 2020 (r367377) +++ stable/12/sys/net80211/ieee80211_freebsd.h Thu Nov 5 12:17:50 2020 (r367378) @@ -41,6 +41,19 @@ #include /* + * priv(9) NET80211 checks. + */ +struct ieee80211vap; +int ieee80211_priv_check_vap_getkey(u_long, struct ieee80211vap *, + struct ifnet *); +int ieee80211_priv_check_vap_manage(u_long, struct ieee80211vap *, + struct ifnet *); +int ieee80211_priv_check_vap_setmac(u_long, struct ieee80211vap *, + struct ifnet *); +int ieee80211_priv_check_create_vap(u_long, struct ieee80211vap *, + struct ifnet *); + +/* * Common state locking definitions. */ typedef struct { Modified: stable/12/sys/net80211/ieee80211_ioctl.c ============================================================================== --- stable/12/sys/net80211/ieee80211_ioctl.c Thu Nov 5 12:16:22 2020 (r367377) +++ stable/12/sys/net80211/ieee80211_ioctl.c Thu Nov 5 12:17:50 2020 (r367378) @@ -40,7 +40,6 @@ __FBSDID("$FreeBSD$"); #include #include #include -#include #include #include #include @@ -72,7 +71,8 @@ static int ieee80211_scanreq(struct ieee80211vap *, struct ieee80211_scan_req *); static int -ieee80211_ioctl_getkey(struct ieee80211vap *vap, struct ieee80211req *ireq) +ieee80211_ioctl_getkey(u_long cmd, struct ieee80211vap *vap, + struct ieee80211req *ireq) { struct ieee80211com *ic = vap->iv_ic; struct ieee80211_node *ni; @@ -106,8 +106,7 @@ ieee80211_ioctl_getkey(struct ieee80211vap *vap, struc ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV); if (wk->wk_keyix == vap->iv_def_txkey) ik.ik_flags |= IEEE80211_KEY_DEFAULT; - /* XXX TODO: move priv check to ieee80211_freebsd.c */ - if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) { + if (ieee80211_priv_check_vap_getkey(cmd, vap, NULL) == 0) { /* NB: only root can read key data */ ik.ik_keyrsc = wk->wk_keyrsc[IEEE80211_NONQOS_TID]; ik.ik_keytsc = wk->wk_keytsc; @@ -822,8 +821,7 @@ ieee80211_ioctl_get80211(struct ieee80211vap *vap, u_l return EINVAL; len = (u_int) vap->iv_nw_keys[kid].wk_keylen; /* NB: only root can read WEP keys */ - /* XXX TODO: move priv check to ieee80211_freebsd.c */ - if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) { + if (ieee80211_priv_check_vap_getkey(cmd, vap, NULL) == 0) { bcopy(vap->iv_nw_keys[kid].wk_key, tmpkey, len); } else { bzero(tmpkey, len); @@ -916,7 +914,7 @@ ieee80211_ioctl_get80211(struct ieee80211vap *vap, u_l ireq->i_val = (vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0; break; case IEEE80211_IOC_WPAKEY: - error = ieee80211_ioctl_getkey(vap, ireq); + error = ieee80211_ioctl_getkey(cmd, vap, ireq); break; case IEEE80211_IOC_CHANINFO: error = ieee80211_ioctl_getchaninfo(vap, ireq); @@ -3628,8 +3626,7 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t (struct ieee80211req *) data); break; case SIOCS80211: - /* XXX TODO: move priv check to ieee80211_freebsd.c */ - error = priv_check(curthread, PRIV_NET80211_VAP_MANAGE); + error = ieee80211_priv_check_vap_manage(cmd, vap, ifp); if (error == 0) error = ieee80211_ioctl_set80211(vap, cmd, (struct ieee80211req *) data); @@ -3675,8 +3672,7 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t } break; case SIOCSIFLLADDR: - /* XXX TODO: move priv check to ieee80211_freebsd.c */ - error = priv_check(curthread, PRIV_NET80211_VAP_SETMAC); + error = ieee80211_priv_check_vap_setmac(cmd, vap, ifp); if (error == 0) break; /* Fallthrough */