Module Name: src Committed By: jakllsch Date: Thu Jan 5 02:38:51 UTC 2023
Modified Files: src/sys/net: if_wg.c Log Message: Check for authorization for SIOCSDRVSPEC and SIOCGDRVSPEC ioctls for wg(4). Addresses PR 57161. To generate a diff of this commit: cvs rdiff -u -r1.71 -r1.72 src/sys/net/if_wg.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/sys/net/if_wg.c diff -u src/sys/net/if_wg.c:1.71 src/sys/net/if_wg.c:1.72 --- src/sys/net/if_wg.c:1.71 Fri Nov 4 09:00:58 2022 +++ src/sys/net/if_wg.c Thu Jan 5 02:38:51 2023 @@ -1,4 +1,4 @@ -/* $NetBSD: if_wg.c,v 1.71 2022/11/04 09:00:58 ozaki-r Exp $ */ +/* $NetBSD: if_wg.c,v 1.72 2023/01/05 02:38:51 jakllsch Exp $ */ /* * Copyright (C) Ryota Ozaki <ozaki.ry...@gmail.com> @@ -41,7 +41,7 @@ */ #include <sys/cdefs.h> -__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.71 2022/11/04 09:00:58 ozaki-r Exp $"); +__KERNEL_RCSID(0, "$NetBSD: if_wg.c,v 1.72 2023/01/05 02:38:51 jakllsch Exp $"); #ifdef _KERNEL_OPT #include "opt_altq_enabled.h" @@ -4649,6 +4649,12 @@ wg_ioctl(struct ifnet *ifp, u_long cmd, } return error; case SIOCSDRVSPEC: + if (kauth_authorize_network(kauth_cred_get(), + KAUTH_NETWORK_INTERFACE, + KAUTH_REQ_NETWORK_INTERFACE_SETPRIV, &wg->wg_if, + (void *)cmd, NULL) != 0) { + return EPERM; + } switch (ifd->ifd_cmd) { case WG_IOCTL_SET_PRIVATE_KEY: error = wg_ioctl_set_private_key(wg, ifd); @@ -4668,6 +4674,12 @@ wg_ioctl(struct ifnet *ifp, u_long cmd, } return error; case SIOCGDRVSPEC: + if (kauth_authorize_network(kauth_cred_get(), + KAUTH_NETWORK_INTERFACE, + KAUTH_REQ_NETWORK_INTERFACE_GETPRIV, &wg->wg_if, + (void *)cmd, NULL) != 0) { + return EPERM; + } return wg_ioctl_get(wg, ifd); case SIOCSIFFLAGS: if ((error = ifioctl_common(ifp, cmd, data)) != 0)