Module Name: src
Committed By: martin
Date: Fri Jan 13 19:14:13 UTC 2023
Modified Files:
src/sys/net [netbsd-10]: if_wg.c
src/sys/secmodel/suser [netbsd-10]: secmodel_suser.c
src/sys/sys [netbsd-10]: kauth.h
Log Message:
Pull up following revision(s) (requested by jakllsch in ticket #49):
sys/secmodel/suser/secmodel_suser.c: revision 1.57
sys/sys/kauth.h: revision 1.89
sys/net/if_wg.c: revision 1.72
sys/net/if_wg.c: revision 1.73
sys/net/if_wg.c: revision 1.74
Check for authorization for SIOCSDRVSPEC and SIOCGDRVSPEC ioctls for wg(4).
Addresses PR 57161.
wg(4): Allow non-root to retrieve information other than the private
key and the peer preshared key.
Add kauth(9) enums for wg(4) and add use them in suser secmodel.
Refines fix for PR 57161.
centralize the kauth ugliness.
To generate a diff of this commit:
cvs rdiff -u -r1.71 -r1.71.2.1 src/sys/net/if_wg.c
cvs rdiff -u -r1.55.20.1 -r1.55.20.2 src/sys/secmodel/suser/secmodel_suser.c
cvs rdiff -u -r1.87.4.1 -r1.87.4.2 src/sys/sys/kauth.h
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_wg.c
diff -u src/sys/net/if_wg.c:1.71 src/sys/net/if_wg.c:1.71.2.1
--- src/sys/net/if_wg.c:1.71 Fri Nov 4 09:00:58 2022
+++ src/sys/net/if_wg.c Fri Jan 13 19:14:13 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: if_wg.c,v 1.71 2022/11/04 09:00:58 ozaki-r Exp $ */
+/* $NetBSD: if_wg.c,v 1.71.2.1 2023/01/13 19:14:13 martin Exp $ */
/*
* Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com>
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.71 2022/11/04 09:00:58 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.71.2.1 2023/01/13 19:14:13 martin Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq_enabled.h"
@@ -4449,6 +4449,17 @@ out:
return error;
}
+static bool
+wg_is_authorized(struct wg_softc *wg, u_long cmd)
+{
+ int au = cmd == SIOCGDRVSPEC ?
+ KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV :
+ KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV;
+ return kauth_authorize_network(kauth_cred_get(),
+ KAUTH_NETWORK_INTERFACE_WG, au, &wg->wg_if,
+ (void *)cmd, NULL) == 0;
+}
+
static int
wg_ioctl_get(struct wg_softc *wg, struct ifdrv *ifd)
{
@@ -4463,9 +4474,11 @@ wg_ioctl_get(struct wg_softc *wg, struct
if (prop_dict == NULL)
goto error;
- if (!prop_dictionary_set_data(prop_dict, "private_key", wg->wg_privkey,
- WG_STATIC_KEY_LEN))
- goto error;
+ if (wg_is_authorized(wg, SIOCGDRVSPEC)) {
+ if (!prop_dictionary_set_data(prop_dict, "private_key",
+ wg->wg_privkey, WG_STATIC_KEY_LEN))
+ goto error;
+ }
if (wg->wg_listen_port != 0) {
if (!prop_dictionary_set_uint16(prop_dict, "listen_port",
@@ -4507,10 +4520,12 @@ wg_ioctl_get(struct wg_softc *wg, struct
uint8_t psk_zero[WG_PRESHARED_KEY_LEN] = {0};
if (!consttime_memequal(wgp->wgp_psk, psk_zero,
sizeof(wgp->wgp_psk))) {
- if (!prop_dictionary_set_data(prop_peer,
- "preshared_key",
- wgp->wgp_psk, sizeof(wgp->wgp_psk)))
- goto next;
+ if (wg_is_authorized(wg, SIOCGDRVSPEC)) {
+ if (!prop_dictionary_set_data(prop_peer,
+ "preshared_key",
+ wgp->wgp_psk, sizeof(wgp->wgp_psk)))
+ goto next;
+ }
}
wgsa = wg_get_endpoint_sa(wgp, &wgsa_psref);
@@ -4649,6 +4664,9 @@ wg_ioctl(struct ifnet *ifp, u_long cmd,
}
return error;
case SIOCSDRVSPEC:
+ if (!wg_is_authorized(wg, cmd)) {
+ return EPERM;
+ }
switch (ifd->ifd_cmd) {
case WG_IOCTL_SET_PRIVATE_KEY:
error = wg_ioctl_set_private_key(wg, ifd);
Index: src/sys/secmodel/suser/secmodel_suser.c
diff -u src/sys/secmodel/suser/secmodel_suser.c:1.55.20.1 src/sys/secmodel/suser/secmodel_suser.c:1.55.20.2
--- src/sys/secmodel/suser/secmodel_suser.c:1.55.20.1 Fri Jan 13 19:00:20 2023
+++ src/sys/secmodel/suser/secmodel_suser.c Fri Jan 13 19:14:13 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: secmodel_suser.c,v 1.55.20.1 2023/01/13 19:00:20 martin Exp $ */
+/* $NetBSD: secmodel_suser.c,v 1.55.20.2 2023/01/13 19:14:13 martin Exp $ */
/*-
* Copyright (c) 2006 Elad Efrat <e...@netbsd.org>
* All rights reserved.
@@ -38,7 +38,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.55.20.1 2023/01/13 19:00:20 martin Exp $");
+__KERNEL_RCSID(0, "$NetBSD: secmodel_suser.c,v 1.55.20.2 2023/01/13 19:14:13 martin Exp $");
#include <sys/types.h>
#include <sys/param.h>
@@ -759,6 +759,20 @@ secmodel_suser_network_cb(kauth_cred_t c
break;
+ case KAUTH_NETWORK_INTERFACE_WG:
+ switch (req) {
+ case KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV:
+ case KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV:
+ if (isroot)
+ result = KAUTH_RESULT_ALLOW;
+ break;
+
+ default:
+ break;
+ }
+
+ break;
+
case KAUTH_NETWORK_SOCKET:
switch (req) {
case KAUTH_REQ_NETWORK_SOCKET_DROP:
Index: src/sys/sys/kauth.h
diff -u src/sys/sys/kauth.h:1.87.4.1 src/sys/sys/kauth.h:1.87.4.2
--- src/sys/sys/kauth.h:1.87.4.1 Fri Jan 13 19:00:21 2023
+++ src/sys/sys/kauth.h Fri Jan 13 19:14:13 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: kauth.h,v 1.87.4.1 2023/01/13 19:00:21 martin Exp $ */
+/* $NetBSD: kauth.h,v 1.87.4.2 2023/01/13 19:14:13 martin Exp $ */
/*-
* Copyright (c) 2005, 2006 Elad Efrat <e...@netbsd.org>
@@ -263,6 +263,7 @@ enum {
KAUTH_NETWORK_INTERFACE_PVC,
KAUTH_NETWORK_IPV6,
KAUTH_NETWORK_SMB,
+ KAUTH_NETWORK_INTERFACE_WG,
};
/*
@@ -311,7 +312,9 @@ enum kauth_network_req {
KAUTH_REQ_NETWORK_SMB_VC_ACCESS,
KAUTH_REQ_NETWORK_SMB_VC_CREATE,
KAUTH_REQ_NETWORK_INTERFACE_FIRMWARE,
- KAUTH_REQ_NETWORK_BIND_ANYADDR
+ KAUTH_REQ_NETWORK_BIND_ANYADDR,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_GETPRIV,
+ KAUTH_REQ_NETWORK_INTERFACE_WG_SETPRIV,
};
/*
