svn commit: r363325 - in head/sys: kern net80211
Adrian Chadd
adrian at FreeBSD.org
Sun Jul 19 15:16:28 UTC 2020
Author: adrian
Date: Sun Jul 19 15:16:27 2020
New Revision: 363325
URL: https://svnweb.freebsd.org/changeset/base/363325
Log:
[net80211] Add new privileges; restrict what can be done in a jail.
Split the MANAGE privilege into MANAGE, SETMAC and CREATE_VAP.
+ VAP_MANAGE is everything but setting the MAC and creating a VAP.
+ VAP_SETMAC is setting the MAC address of the VAP.
Typically you wouldn't want the jail to be able to modify this.
+ CREATE_VAP is to create a new VAP. Again, you don't want to be doing
this in a jail, but this DOES stop being able to run some corner
cases like Dynamic WDS (DWDS) AP in a jail/vnet. We can figure this
bit out later.
This allows me to run wpa_supplicant in a jail after transferring
a STA VAP into it. I unfortunately can't currently set the wlan
debugging inside the jail; that would be super useful!
Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D25630
Modified:
head/sys/kern/kern_jail.c
head/sys/net80211/ieee80211_freebsd.c
head/sys/net80211/ieee80211_ioctl.c
Modified: head/sys/kern/kern_jail.c
==============================================================================
--- head/sys/kern/kern_jail.c Sun Jul 19 14:42:13 2020 (r363324)
+++ head/sys/kern/kern_jail.c Sun Jul 19 15:16:27 2020 (r363325)
@@ -3107,10 +3107,8 @@ prison_priv_check(struct ucred *cred, int priv)
/*
* 802.11-related privileges.
*/
- case PRIV_NET80211_GETKEY:
-#ifdef notyet
- case PRIV_NET80211_MANAGE: /* XXX-BZ discuss with sam@ */
-#endif
+ case PRIV_NET80211_VAP_GETKEY:
+ case PRIV_NET80211_VAP_MANAGE:
#ifdef notyet
/*
Modified: head/sys/net80211/ieee80211_freebsd.c
==============================================================================
--- head/sys/net80211/ieee80211_freebsd.c Sun Jul 19 14:42:13 2020 (r363324)
+++ head/sys/net80211/ieee80211_freebsd.c Sun Jul 19 15:16:27 2020 (r363325)
@@ -41,6 +41,7 @@ __FBSDID("$FreeBSD$");
#include <sys/malloc.h>
#include <sys/mbuf.h>
#include <sys/module.h>
+#include <sys/priv.h>
#include <sys/proc.h>
#include <sys/sysctl.h>
@@ -81,6 +82,10 @@ wlan_clone_create(struct if_clone *ifc, int unit, cadd
struct ieee80211vap *vap;
struct ieee80211com *ic;
int error;
+
+ error = priv_check(curthread, PRIV_NET80211_CREATE_VAP);
+ if (error)
+ return error;
error = copyin(params, &cp, sizeof(cp));
if (error)
Modified: head/sys/net80211/ieee80211_ioctl.c
==============================================================================
--- head/sys/net80211/ieee80211_ioctl.c Sun Jul 19 14:42:13 2020 (r363324)
+++ head/sys/net80211/ieee80211_ioctl.c Sun Jul 19 15:16:27 2020 (r363325)
@@ -106,7 +106,8 @@ ieee80211_ioctl_getkey(struct ieee80211vap *vap, struc
ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV);
if (wk->wk_keyix == vap->iv_def_txkey)
ik.ik_flags |= IEEE80211_KEY_DEFAULT;
- if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) {
+ /* XXX TODO: move priv check to ieee80211_freebsd.c */
+ if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) {
/* NB: only root can read key data */
ik.ik_keyrsc = wk->wk_keyrsc[IEEE80211_NONQOS_TID];
ik.ik_keytsc = wk->wk_keytsc;
@@ -815,7 +816,8 @@ ieee80211_ioctl_get80211(struct ieee80211vap *vap, u_l
return EINVAL;
len = (u_int) vap->iv_nw_keys[kid].wk_keylen;
/* NB: only root can read WEP keys */
- if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) {
+ /* XXX TODO: move priv check to ieee80211_freebsd.c */
+ if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) {
bcopy(vap->iv_nw_keys[kid].wk_key, tmpkey, len);
} else {
bzero(tmpkey, len);
@@ -3636,7 +3638,8 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t
(struct ieee80211req *) data);
break;
case SIOCS80211:
- error = priv_check(curthread, PRIV_NET80211_MANAGE);
+ /* XXX TODO: move priv check to ieee80211_freebsd.c */
+ error = priv_check(curthread, PRIV_NET80211_VAP_MANAGE);
if (error == 0)
error = ieee80211_ioctl_set80211(vap, cmd,
(struct ieee80211req *) data);
@@ -3681,6 +3684,12 @@ ieee80211_ioctl(struct ifnet *ifp, u_long cmd, caddr_t
break;
}
break;
+ case SIOCSIFLLADDR:
+ /* XXX TODO: move priv check to ieee80211_freebsd.c */
+ error = priv_check(curthread, PRIV_NET80211_VAP_SETMAC);
+ if (error == 0)
+ break;
+ /* Fallthrough */
default:
/*
* Pass unknown ioctls first to the driver, and if it
More information about the svn-src-all
mailing list