Module Name: src
Committed By: jakllsch
Date: Thu Jan 5 02:38:51 UTC 2023
Modified Files:
src/sys/net: if_wg.c
Log Message:
Check for authorization for SIOCSDRVSPEC and SIOCGDRVSPEC ioctls for wg(4).
Addresses PR 57161.
To generate a diff of this commit:
cvs rdiff -u -r1.71 -r1.72 src/sys/net/if_wg.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/net/if_wg.c
diff -u src/sys/net/if_wg.c:1.71 src/sys/net/if_wg.c:1.72
--- src/sys/net/if_wg.c:1.71 Fri Nov 4 09:00:58 2022
+++ src/sys/net/if_wg.c Thu Jan 5 02:38:51 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: if_wg.c,v 1.71 2022/11/04 09:00:58 ozaki-r Exp $ */
+/* $NetBSD: if_wg.c,v 1.72 2023/01/05 02:38:51 jakllsch Exp $ */
/*
* Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com>
@@ -41,7 +41,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.71 2022/11/04 09:00:58 ozaki-r Exp $");
+__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.72 2023/01/05 02:38:51 jakllsch Exp $");
#ifdef _KERNEL_OPT
#include "opt_altq_enabled.h"
@@ -4649,6 +4649,12 @@ wg_ioctl(struct ifnet *ifp, u_long cmd,
}
return error;
case SIOCSDRVSPEC:
+ if (kauth_authorize_network(kauth_cred_get(),
+ KAUTH_NETWORK_INTERFACE,
+ KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, &wg->wg_if,
+ (void *)cmd, NULL) != 0) {
+ return EPERM;
+ }
switch (ifd->ifd_cmd) {
case WG_IOCTL_SET_PRIVATE_KEY:
error = wg_ioctl_set_private_key(wg, ifd);
@@ -4668,6 +4674,12 @@ wg_ioctl(struct ifnet *ifp, u_long cmd,
}
return error;
case SIOCGDRVSPEC:
+ if (kauth_authorize_network(kauth_cred_get(),
+ KAUTH_NETWORK_INTERFACE,
+ KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, &wg->wg_if,
+ (void *)cmd, NULL) != 0) {
+ return EPERM;
+ }
return wg_ioctl_get(wg, ifd);
case SIOCSIFFLAGS:
if ((error = ifioctl_common(ifp, cmd, data)) != 0)
