Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-10]: src/sys Pull up following revision(s) (requested by jakllsch...
details: https://anonhg.NetBSD.org/src/rev/12541498aead
branches: netbsd-10
changeset: 373024:12541498aead
user: martin <martin%NetBSD.org@localhost>
date: Fri Jan 13 19:14:13 2023 +0000
description:
Pull up following revision(s) (requested by jakllsch in ticket #49):
sys/secmodel/suser/secmodel_suser.c: revision 1.57
sys/sys/kauth.h: revision 1.89
sys/net/if_wg.c: revision 1.72
sys/net/if_wg.c: revision 1.73
sys/net/if_wg.c: revision 1.74
Check for authorization for SIOCSDRVSPEC and SIOCGDRVSPEC ioctls for wg(4).
Addresses PR 57161.
wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.
Add kauth(9) enums for wg(4) and add use them in suser secmodel.
Refines fix for PR 57161.
centralize the kauth ugliness.
diffstat:
sys/net/if_wg.c | 36 +++++++++++++++++++++++++++---------
sys/secmodel/suser/secmodel_suser.c | 18 ++++++++++++++++--
sys/sys/kauth.h | 7 +++++--
3 files changed, 48 insertions(+), 13 deletions(-)
diffs (145 lines):
diff -r 596b6fcba4bc -r 12541498aead sys/net/if_wg.c
--- a/sys/net/if_wg.c Fri Jan 13 19:11:31 2023 +0000
+++ b/sys/net/if_wg.c Fri Jan 13 19:14:13 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: if_wg.c,v 1.71 2022/11/04 09:00:58 ozaki-r Exp $ */
+/* $NetBSD: if_wg.c,v 1.71.2.1 2023/01/13 19:14:13 martin Exp $ */
/*
* Copyright (C) Ryota Ozaki <ozaki.ryota%gmail.com@localhost>
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.71 2022/11/04 09:00:58 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.71.2.1 2023/01/13 19:14:13 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq_enabled.h"
@@ -4449,6 +4449,17 @@
return error;
}
+static bool
+wg_is_authorized(struct wg_softc *wg, u_long cmd)
+{
+ int au = cmd == SIOCGDRVSPEC ?
+ KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV :
+ KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV;
+ return kauth_authorize_network(kauth_cred_get(),
+ KAUTH_NETWORK_INTERFACE_WG, au, &wg->wg_if,
+ (void *)cmd, NULL) == 0;
+}
+
static int
wg_ioctl_get(struct wg_softc *wg, struct ifdrv *ifd)
{
@@ -4463,9 +4474,11 @@
if (prop_dict == NULL)
goto error;
- if (!prop_dictionary_set_data(prop_dict, "private_key", wg->wg_privkey,
- WG_STATIC_KEY_LEN))
- goto error;
+ if (wg_is_authorized(wg, SIOCGDRVSPEC)) {
+ if (!prop_dictionary_set_data(prop_dict, "private_key",
+ wg->wg_privkey, WG_STATIC_KEY_LEN))
+ goto error;
+ }
if (wg->wg_listen_port != 0) {
if (!prop_dictionary_set_uint16(prop_dict, "listen_port",
@@ -4507,10 +4520,12 @@
uint8_t psk_zero[WG_PRESHARED_KEY_LEN] = {0};
if (!consttime_memequal(wgp->wgp_psk, psk_zero,
sizeof(wgp->wgp_psk))) {
- if (!prop_dictionary_set_data(prop_peer,
- "preshared_key",
- wgp->wgp_psk, sizeof(wgp->wgp_psk)))
- goto next;
+ if (wg_is_authorized(wg, SIOCGDRVSPEC)) {
+ if (!prop_dictionary_set_data(prop_peer,
+ "preshared_key",
+ wgp->wgp_psk, sizeof(wgp->wgp_psk)))
+ goto next;
+ }
}
wgsa = wg_get_endpoint_sa(wgp, &wgsa_psref);
@@ -4649,6 +4664,9 @@
}
return error;
case SIOCSDRVSPEC:
+ if (!wg_is_authorized(wg, cmd)) {
+ return EPERM;
+ }
switch (ifd->ifd_cmd) {
case WG_IOCTL_SET_PRIVATE_KEY:
error = wg_ioctl_set_private_key(wg, ifd);
diff -r 596b6fcba4bc -r 12541498aead sys/secmodel/suser/secmodel_suser.c
--- a/sys/secmodel/suser/secmodel_suser.c Fri Jan 13 19:11:31 2023 +0000
+++ b/sys/secmodel/suser/secmodel_suser.c Fri Jan 13 19:14:13 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.55.20.1 2023/01/13 19:00:20 martin Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.55.20.2 2023/01/13 19:14:13 martin Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <elad%NetBSD.org@localhost>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.55.20.1 2023/01/13 19:00:20 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.55.20.2 2023/01/13 19:14:13 martin Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -759,6 +759,20 @@
break;
+ case KAUTH_NETWORK_INTERFACE_WG:
+ switch (req) {
+ case KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV:
+ case KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV:
+ if (isroot)
+ result = KAUTH_RESULT_ALLOW;
+ break;
+
+ default:
+ break;
+ }
+
+ break;
+
case KAUTH_NETWORK_SOCKET:
switch (req) {
case KAUTH_REQ_NETWORK_SOCKET_DROP:
diff -r 596b6fcba4bc -r 12541498aead sys/sys/kauth.h
--- a/sys/sys/kauth.h Fri Jan 13 19:11:31 2023 +0000
+++ b/sys/sys/kauth.h Fri Jan 13 19:14:13 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.87.4.1 2023/01/13 19:00:21 martin Exp $ */
+/* $NetBSD: kauth.h,v 1.87.4.2 2023/01/13 19:14:13 martin Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <elad%NetBSD.org@localhost>
@@ -263,6 +263,7 @@
KAUTH_NETWORK_INTERFACE_PVC,
KAUTH_NETWORK_IPV6,
KAUTH_NETWORK_SMB,
+ KAUTH_NETWORK_INTERFACE_WG,
};
/*
@@ -311,7 +312,9 @@
KAUTH_REQ_NETWORK_SMB_VC_ACCESS,
KAUTH_REQ_NETWORK_SMB_VC_CREATE,
KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE,
- KAUTH_REQ_NETWORK_BIND_ANYADDR
+ KAUTH_REQ_NETWORK_BIND_ANYADDR,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV,
};
/*
Home |
Main Index |
Thread Index |
Old Index