Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys wg(4): Allow non-root to retrieve information other than...
details: https://anonhg.NetBSD.org/src/rev/62ba014fe573
branches: trunk
changeset: 372927:62ba014fe573
user: jakllsch <jakllsch%NetBSD.org@localhost>
date: Thu Jan 05 18:29:45 2023 +0000
description:
wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.
Add kauth(9) enums for wg(4) and add use them in suser secmodel.
Refines fix for PR 57161.
diffstat:
sys/net/if_wg.c | 38 ++++++++++++++++++++----------------
sys/secmodel/suser/secmodel_suser.c | 18 +++++++++++++++-
sys/sys/kauth.h | 7 ++++-
3 files changed, 42 insertions(+), 21 deletions(-)
diffs (147 lines):
diff -r 45521e6107f4 -r 62ba014fe573 sys/net/if_wg.c
--- a/sys/net/if_wg.c Thu Jan 05 18:27:48 2023 +0000
+++ b/sys/net/if_wg.c Thu Jan 05 18:29:45 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_wg.c,v 1.72 2023/01/05 02:38:51 jakllsch Exp $ */
+/* $NetBSD: if_wg.c,v 1.73 2023/01/05 18:29:46 jakllsch Exp $ */
/*
* Copyright (C) Ryota Ozaki <ozaki.ryota%gmail.com@localhost>
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.72 2023/01/05 02:38:51 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.73 2023/01/05 18:29:46 jakllsch Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq_enabled.h"
@@ -4463,9 +4463,14 @@
if (prop_dict == NULL)
goto error;
- if (!prop_dictionary_set_data(prop_dict, "private_key", wg->wg_privkey,
- WG_STATIC_KEY_LEN))
- goto error;
+ if (kauth_authorize_network(kauth_cred_get(),
+ KAUTH_NETWORK_INTERFACE_WG,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV, &wg->wg_if,
+ (void *)SIOCGDRVSPEC, NULL) == 0) {
+ if (!prop_dictionary_set_data(prop_dict, "private_key",
+ wg->wg_privkey, WG_STATIC_KEY_LEN))
+ goto error;
+ }
if (wg->wg_listen_port != 0) {
if (!prop_dictionary_set_uint16(prop_dict, "listen_port",
@@ -4507,10 +4512,15 @@
uint8_t psk_zero[WG_PRESHARED_KEY_LEN] = {0};
if (!consttime_memequal(wgp->wgp_psk, psk_zero,
sizeof(wgp->wgp_psk))) {
- if (!prop_dictionary_set_data(prop_peer,
- "preshared_key",
- wgp->wgp_psk, sizeof(wgp->wgp_psk)))
- goto next;
+ if (kauth_authorize_network(kauth_cred_get(),
+ KAUTH_NETWORK_INTERFACE_WG,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV, &wg->wg_if,
+ (void *)SIOCGDRVSPEC, NULL) == 0) {
+ if (!prop_dictionary_set_data(prop_peer,
+ "preshared_key",
+ wgp->wgp_psk, sizeof(wgp->wgp_psk)))
+ goto next;
+ }
}
wgsa = wg_get_endpoint_sa(wgp, &wgsa_psref);
@@ -4650,8 +4660,8 @@
return error;
case SIOCSDRVSPEC:
if (kauth_authorize_network(kauth_cred_get(),
- KAUTH_NETWORK_INTERFACE,
- KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, &wg->wg_if,
+ KAUTH_NETWORK_INTERFACE_WG,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV, &wg->wg_if,
(void *)cmd, NULL) != 0) {
return EPERM;
}
@@ -4674,12 +4684,6 @@
}
return error;
case SIOCGDRVSPEC:
- if (kauth_authorize_network(kauth_cred_get(),
- KAUTH_NETWORK_INTERFACE,
- KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, &wg->wg_if,
- (void *)cmd, NULL) != 0) {
- return EPERM;
- }
return wg_ioctl_get(wg, ifd);
case SIOCSIFFLAGS:
if ((error = ifioctl_common(ifp, cmd, data)) != 0)
diff -r 45521e6107f4 -r 62ba014fe573 sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c Thu Jan 05 18:27:48 2023 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c Thu Jan 05 18:29:45 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.56 2023/01/05 17:36:53 jakllsch Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.57 2023/01/05 18:29:45 jakllsch Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.56 2023/01/05 17:36:53 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.57 2023/01/05 18:29:45 jakllsch Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -759,6 +759,20 @@
break;
+ case KAUTH_NETWORK_INTERFACE_WG:
+ switch (req) {
+ case KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV:
+ case KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV:
+ if (isroot)
+ result = KAUTH_RESULT_ALLOW;
+ break;
+
+ default:
+ break;
+ }
+
+ break;
+
case KAUTH_NETWORK_SOCKET:
switch (req) {
case KAUTH_REQ_NETWORK_SOCKET_DROP:
diff -r 45521e6107f4 -r 62ba014fe573 sys/sys/kauth.h
--- a/sys/sys/kauth.h Thu Jan 05 18:27:48 2023 +0000
+++ b/sys/sys/kauth.h Thu Jan 05 18:29:45 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.88 2023/01/05 17:36:53 jakllsch Exp $ */
+/* $NetBSD: kauth.h,v 1.89 2023/01/05 18:29:45 jakllsch Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>
@@ -263,6 +263,7 @@
KAUTH_NETWORK_INTERFACE_PVC,
KAUTH_NETWORK_IPV6,
KAUTH_NETWORK_SMB,
+ KAUTH_NETWORK_INTERFACE_WG,
};
/*
@@ -311,7 +312,9 @@
KAUTH_REQ_NETWORK_SMB_VC_ACCESS,
KAUTH_REQ_NETWORK_SMB_VC_CREATE,
KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE,
- KAUTH_REQ_NETWORK_BIND_ANYADDR
+ KAUTH_REQ_NETWORK_BIND_ANYADDR,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV,
};
/*
Home |
Main Index |
Thread Index |
Old Index