From owner-svn-src-all@freebsd.org  Sun Oct 18 21:34:05 2020
Return-Path: <owner-svn-src-all@freebsd.org>
Delivered-To: svn-src-all@mailman.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.nyi.freebsd.org (Postfix) with ESMTP id 4576143D205;
 Sun, 18 Oct 2020 21:34:05 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org
 [IPv6:2610:1c1:1:606c::19:3])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
 client-signature RSA-PSS (4096 bits) client-digest SHA256)
 (Client CN "mxrelay.nyi.freebsd.org",
 Issuer "Let's Encrypt Authority X3" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 4CDtSF13MQz3W3P;
 Sun, 18 Oct 2020 21:34:05 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from repo.freebsd.org (repo.freebsd.org
 [IPv6:2610:1c1:1:6068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0882619033;
 Sun, 18 Oct 2020 21:34:05 +0000 (UTC) (envelope-from bz@FreeBSD.org)
Received: from repo.freebsd.org ([127.0.1.37])
 by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 09ILY4xf028987;
 Sun, 18 Oct 2020 21:34:04 GMT (envelope-from bz@FreeBSD.org)
Received: (from bz@localhost)
 by repo.freebsd.org (8.15.2/8.15.2/Submit) id 09ILY4Jx028985;
 Sun, 18 Oct 2020 21:34:04 GMT (envelope-from bz@FreeBSD.org)
Message-Id: <202010182134.09ILY4Jx028985@repo.freebsd.org>
X-Authentication-Warning: repo.freebsd.org: bz set sender to bz@FreeBSD.org
 using -f
From: "Bjoern A. Zeeb" <bz@FreeBSD.org>
Date: Sun, 18 Oct 2020 21:34:04 +0000 (UTC)
To: src-committers@freebsd.org, svn-src-all@freebsd.org,
 svn-src-head@freebsd.org
Subject: svn commit: r366817 - head/sys/net80211
X-SVN-Group: head
X-SVN-Commit-Author: bz
X-SVN-Commit-Paths: head/sys/net80211
X-SVN-Commit-Revision: 366817
X-SVN-Commit-Repository: base
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-src-all@freebsd.org
X-Mailman-Version: 2.1.33
Precedence: list
List-Id: "SVN commit messages for the entire src tree \(except for &quot;
 user&quot; and &quot; projects&quot; \)" <svn-src-all.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-src-all/>
List-Post: <mailto:svn-src-all@freebsd.org>
List-Help: <mailto:svn-src-all-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/svn-src-all>,
 <mailto:svn-src-all-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 18 Oct 2020 21:34:05 -0000

Author: bz
Date: Sun Oct 18 21:34:04 2020
New Revision: 366817
URL: https://svnweb.freebsd.org/changeset/base/366817

Log:
  net80211: factor out the priv(9) checks into OS specifc code.
  
  Factor out the priv(9) checks into OS specifc code so other OSes can equally
  implement them.  This sorts out those XXX in the net80211 code.
  We provide 3 arguments (cmd, vap, ifp) where available to the functions, in
  order to allow other OSes to use that data but also in case we'd add auditing
  to these check to have the information available. For now the arguments are
  marked __unused.
  
  PR:		249403
  Reported by:	martin(NetBSD)
  Reviewed by:	adrian, martin(NetBSD)
  MFC after:	10 days
  Sponsored by:	Rubicon Communications, LLC (d/b/a "Netgate")
  Differential Revision:	https://reviews.freebsd.org/D26541

Modified:
  head/sys/net80211/ieee80211_freebsd.c
  head/sys/net80211/ieee80211_freebsd.h
  head/sys/net80211/ieee80211_ioctl.c

Modified: head/sys/net80211/ieee80211_freebsd.c
==============================================================================
--- head/sys/net80211/ieee80211_freebsd.c	Sun Oct 18 20:54:15 2020	(r366816)
+++ head/sys/net80211/ieee80211_freebsd.c	Sun Oct 18 21:34:04 2020	(r366817)
@@ -75,6 +75,42 @@ SYSCTL_INT(_net_wlan, OID_AUTO, debug, CTLFLAG_RW, &ie
 static const char wlanname[] = "wlan";
 static struct if_clone *wlan_cloner;
 
+/*
+ * priv(9) NET80211 checks.
+ * Return 0 if operation is allowed, E* (usually EPERM) otherwise.
+ */
+int
+ieee80211_priv_check_vap_getkey(u_long cmd __unused,
+     struct ieee80211vap *vap __unused, struct ifnet *ifp __unused)
+{
+
+	return (priv_check(curthread, PRIV_NET80211_VAP_GETKEY));
+}
+
+int
+ieee80211_priv_check_vap_manage(u_long cmd __unused,
+     struct ieee80211vap *vap __unused, struct ifnet *ifp __unused)
+{
+
+	return (priv_check(curthread, PRIV_NET80211_VAP_MANAGE));
+}
+
+int
+ieee80211_priv_check_vap_setmac(u_long cmd __unused,
+     struct ieee80211vap *vap __unused, struct ifnet *ifp __unused)
+{
+
+	return (priv_check(curthread, PRIV_NET80211_VAP_SETMAC));
+}
+
+int
+ieee80211_priv_check_create_vap(u_long cmd __unused,
+    struct ieee80211vap *vap __unused, struct ifnet *ifp __unused)
+{
+
+	return (priv_check(curthread, PRIV_NET80211_CREATE_VAP));
+}
+
 static int
 wlan_clone_create(struct if_clone *ifc, int unit, caddr_t params)
 {
@@ -83,7 +119,7 @@ wlan_clone_create(struct if_clone *ifc, int unit, cadd
 	struct ieee80211com *ic;
 	int error;
 
-	error = priv_check(curthread, PRIV_NET80211_CREATE_VAP);
+	error = ieee80211_priv_check_create_vap(0, NULL, NULL);
 	if (error)
 		return error;
 

Modified: head/sys/net80211/ieee80211_freebsd.h
==============================================================================
--- head/sys/net80211/ieee80211_freebsd.h	Sun Oct 18 20:54:15 2020	(r366816)
+++ head/sys/net80211/ieee80211_freebsd.h	Sun Oct 18 21:34:04 2020	(r366817)
@@ -43,6 +43,19 @@
 #include <net/debugnet.h>
 
 /*
+ * priv(9) NET80211 checks.
+ */
+struct ieee80211vap;
+int ieee80211_priv_check_vap_getkey(u_long, struct ieee80211vap *,
+    struct ifnet *);
+int ieee80211_priv_check_vap_manage(u_long, struct ieee80211vap *,
+    struct ifnet *);
+int ieee80211_priv_check_vap_setmac(u_long, struct ieee80211vap *,
+    struct ifnet *);
+int ieee80211_priv_check_create_vap(u_long, struct ieee80211vap *,
+    struct ifnet *);
+
+/*
  * Common state locking definitions.
  */
 typedef struct {

Modified: head/sys/net80211/ieee80211_ioctl.c
==============================================================================
--- head/sys/net80211/ieee80211_ioctl.c	Sun Oct 18 20:54:15 2020	(r366816)
+++ head/sys/net80211/ieee80211_ioctl.c	Sun Oct 18 21:34:04 2020	(r366817)
@@ -40,7 +40,6 @@ __FBSDID("$FreeBSD$");
 #include <sys/param.h>
 #include <sys/kernel.h>
 #include <sys/malloc.h>
-#include <sys/priv.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
 #include <sys/systm.h>
@@ -72,7 +71,8 @@ static int ieee80211_scanreq(struct ieee80211vap *,
 		struct ieee80211_scan_req *);
 
 static int
-ieee80211_ioctl_getkey(struct ieee80211vap *vap, struct ieee80211req *ireq)
+ieee80211_ioctl_getkey(u_long cmd, struct ieee80211vap *vap,
+    struct ieee80211req *ireq)
 {
 	struct ieee80211com *ic = vap->iv_ic;
 	struct ieee80211_node *ni;
@@ -106,8 +106,7 @@ ieee80211_ioctl_getkey(struct ieee80211vap *vap, struc
 	ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV);
 	if (wk->wk_keyix == vap->iv_def_txkey)
 		ik.ik_flags |= IEEE80211_KEY_DEFAULT;
-	/* XXX TODO: move priv check to ieee80211_freebsd.c */
-	if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) {
+	if (ieee80211_priv_check_vap_getkey(cmd, vap, NULL) == 0) {
 		/* NB: only root can read key data */
 		ik.ik_keyrsc = wk->wk_keyrsc[IEEE80211_NONQOS_TID];
 		ik.ik_keytsc = wk->wk_keytsc;
@@ -822,8 +821,7 @@ ieee80211_ioctl_get80211(struct ieee80211vap *vap, u_l
 			return EINVAL;
 		len = (u_int) vap->iv_nw_keys[kid].wk_keylen;
 		/* NB: only root can read WEP keys */
-		/* XXX TODO: move priv check to ieee80211_freebsd.c */
-		if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) {
+		if (ieee80211_priv_check_vap_getkey(cmd, vap, NULL) == 0) {
 			bcopy(vap->iv_nw_keys[kid].wk_key, tmpkey, len);
 		} else {
 			bzero(tmpkey, len);
@@ -916,7 +914,7 @@ ieee80211_ioctl_get80211(struct ieee80211vap *vap, u_l
 		ireq->i_val = (vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0;
 		break;
 	case IEEE80211_IOC_WPAKEY:
-		error = ieee80211_ioctl_getkey(vap, ireq);
+		error = ieee80211_ioctl_getkey(cmd, vap, ireq);
 		break;
 	case IEEE80211_IOC_CHANINFO:
 		error = ieee80211_ioctl_getchaninfo(vap, ireq);
@@ -3630,8 +3628,7 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t
 				(struct ieee80211req *) data);
 		break;
 	case SIOCS80211:
-		/* XXX TODO: move priv check to ieee80211_freebsd.c */
-		error = priv_check(curthread, PRIV_NET80211_VAP_MANAGE);
+		error = ieee80211_priv_check_vap_manage(cmd, vap, ifp);
 		if (error == 0)
 			error = ieee80211_ioctl_set80211(vap, cmd,
 					(struct ieee80211req *) data);
@@ -3677,8 +3674,7 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t
 		}
 		break;
 	case SIOCSIFLLADDR:
-		/* XXX TODO: move priv check to ieee80211_freebsd.c */
-		error = priv_check(curthread, PRIV_NET80211_VAP_SETMAC);
+		error = ieee80211_priv_check_vap_setmac(cmd, vap, ifp);
 		if (error == 0)
 			break;
 		/* Fallthrough */