CVS commit: src/sys

Thu, 05 Jan 2023 10:29:58 -0800 

Module Name:    src
Committed By:   jakllsch
Date:           Thu Jan  5 18:29:46 UTC 2023

Modified Files:
        src/sys/net: if_wg.c
        src/sys/secmodel/suser: secmodel_suser.c
        src/sys/sys: kauth.h

Log Message:
wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.

Add kauth(9) enums for wg(4) and add use them in suser secmodel.

Refines fix for PR 57161.


To generate a diff of this commit:
cvs rdiff -u -r1.72 -r1.73 src/sys/net/if_wg.c
cvs rdiff -u -r1.56 -r1.57 src/sys/secmodel/suser/secmodel_suser.c
cvs rdiff -u -r1.88 -r1.89 src/sys/sys/kauth.h

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.


Modified files:

Index: src/sys/net/if_wg.c
diff -u src/sys/net/if_wg.c:1.72 src/sys/net/if_wg.c:1.73
--- src/sys/net/if_wg.c:1.72	Thu Jan  5 02:38:51 2023
+++ src/sys/net/if_wg.c	Thu Jan  5 18:29:46 2023
@@ -1,4 +1,4 @@
-/*	$NetBSD: if_wg.c,v 1.72 2023/01/05 02:38:51 jakllsch Exp $	*/
+/*	$NetBSD: if_wg.c,v 1.73 2023/01/05 18:29:46 jakllsch Exp $	*/
 
 /*
  * Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com>
@@ -41,7 +41,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.72 2023/01/05 02:38:51 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.73 2023/01/05 18:29:46 jakllsch Exp $");
 
 #ifdef _KERNEL_OPT
 #include "opt_altq_enabled.h"
@@ -4463,9 +4463,14 @@ wg_ioctl_get(struct wg_softc *wg, struct
 	if (prop_dict == NULL)
 		goto error;
 
-	if (!prop_dictionary_set_data(prop_dict, "private_key", wg->wg_privkey,
-		WG_STATIC_KEY_LEN))
-		goto error;
+	if (kauth_authorize_network(kauth_cred_get(),
+	    KAUTH_NETWORK_INTERFACE_WG,
+	    KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV, &wg->wg_if,
+	    (void *)SIOCGDRVSPEC, NULL) == 0) {
+		if (!prop_dictionary_set_data(prop_dict, "private_key",
+			wg->wg_privkey, WG_STATIC_KEY_LEN))
+			goto error;
+	}
 
 	if (wg->wg_listen_port != 0) {
 		if (!prop_dictionary_set_uint16(prop_dict, "listen_port",
@@ -4507,10 +4512,15 @@ wg_ioctl_get(struct wg_softc *wg, struct
 		uint8_t psk_zero[WG_PRESHARED_KEY_LEN] = {0};
 		if (!consttime_memequal(wgp->wgp_psk, psk_zero,
 			sizeof(wgp->wgp_psk))) {
-			if (!prop_dictionary_set_data(prop_peer,
-				"preshared_key",
-				wgp->wgp_psk, sizeof(wgp->wgp_psk)))
-				goto next;
+			if (kauth_authorize_network(kauth_cred_get(),
+			    KAUTH_NETWORK_INTERFACE_WG,
+			    KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV, &wg->wg_if,
+			    (void *)SIOCGDRVSPEC, NULL) == 0) {
+				if (!prop_dictionary_set_data(prop_peer,
+					"preshared_key",
+					wgp->wgp_psk, sizeof(wgp->wgp_psk)))
+					goto next;
+			}
 		}
 
 		wgsa = wg_get_endpoint_sa(wgp, &wgsa_psref);
@@ -4650,8 +4660,8 @@ wg_ioctl(struct ifnet *ifp, u_long cmd, 
 		return error;
 	case SIOCSDRVSPEC:
 		if (kauth_authorize_network(kauth_cred_get(),
-		    KAUTH_NETWORK_INTERFACE,
-		    KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, &wg->wg_if,
+		    KAUTH_NETWORK_INTERFACE_WG,
+		    KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV, &wg->wg_if,
 		    (void *)cmd, NULL) != 0) {
 			return EPERM;
 		}
@@ -4674,12 +4684,6 @@ wg_ioctl(struct ifnet *ifp, u_long cmd, 
 		}
 		return error;
 	case SIOCGDRVSPEC:
-		if (kauth_authorize_network(kauth_cred_get(),
-		    KAUTH_NETWORK_INTERFACE,
-		    KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, &wg->wg_if,
-		    (void *)cmd, NULL) != 0) {
-			return EPERM;
-		}
 		return wg_ioctl_get(wg, ifd);
 	case SIOCSIFFLAGS:
 		if ((error = ifioctl_common(ifp, cmd, data)) != 0)

Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.56 src/sys/secmodel/suser/secmodel_suser.c:1.57
--- src/sys/secmodel/suser/secmodel_suser.c:1.56	Thu Jan  5 17:36:53 2023
+++ src/sys/secmodel/suser/secmodel_suser.c	Thu Jan  5 18:29:45 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.56 2023/01/05 17:36:53 jakllsch Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.57 2023/01/05 18:29:45 jakllsch Exp $ */
 /*-
  * Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
  * All rights reserved.
@@ -38,7 +38,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.56 2023/01/05 17:36:53 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.57 2023/01/05 18:29:45 jakllsch Exp $");
 
 #include <sys/types.h>
 #include <sys/param.h>
@@ -759,6 +759,20 @@ secmodel_suser_network_cb(kauth_cred_t c
 
 		break;
 
+	case KAUTH_NETWORK_INTERFACE_WG:
+		switch (req) {
+		case KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV:
+		case KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV:
+			if (isroot)
+				result = KAUTH_RESULT_ALLOW;
+			break;
+
+		default:
+			break;
+		}
+
+		break;
+
 	case KAUTH_NETWORK_SOCKET:
 		switch (req) {
 		case KAUTH_REQ_NETWORK_SOCKET_DROP:

Index: src/sys/sys/kauth.h
diff -u src/sys/sys/kauth.h:1.88 src/sys/sys/kauth.h:1.89
--- src/sys/sys/kauth.h:1.88	Thu Jan  5 17:36:53 2023
+++ src/sys/sys/kauth.h	Thu Jan  5 18:29:45 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.88 2023/01/05 17:36:53 jakllsch Exp $ */
+/* $NetBSD: kauth.h,v 1.89 2023/01/05 18:29:45 jakllsch Exp $ */
 
 /*-
  * Copyright (c) 2005, 2006 Elad Efrat <e...@netbsd.org>  
@@ -263,6 +263,7 @@ enum {
 	KAUTH_NETWORK_INTERFACE_PVC,
 	KAUTH_NETWORK_IPV6,
 	KAUTH_NETWORK_SMB,
+	KAUTH_NETWORK_INTERFACE_WG,
 };
 
 /*
@@ -311,7 +312,9 @@ enum kauth_network_req {
 	KAUTH_REQ_NETWORK_SMB_VC_ACCESS,
 	KAUTH_REQ_NETWORK_SMB_VC_CREATE,
 	KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE,
-	KAUTH_REQ_NETWORK_BIND_ANYADDR
+	KAUTH_REQ_NETWORK_BIND_ANYADDR,
+	KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV,
+	KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV,
 };
 
 /*

Reply via email to