aboutsummaryrefslogtreecommitdiff
path: root/sys/kern
diff options
context:
space:
mode:
authorKyle Evans <kevans@FreeBSD.org>2021-03-15 02:25:40 +0000
committerKyle Evans <kevans@FreeBSD.org>2021-03-15 04:52:04 +0000
commit74ae3f3e33b810248da19004c58b3581cd367843 (patch)
treeb17ce98b77a3a1a86e8255dad7861d9c160222a9 /sys/kern
parent3e5e9939cda3b24df37c37da5f195415a894d9fd (diff)
downloadsrc-74ae3f3e33b810248da19004c58b3581cd367843.tar.gz
src-74ae3f3e33b810248da19004c58b3581cd367843.zip
if_wg: import latest fixup work from the wireguard-freebsd project
This is the culmination of about a week of work from three developers to fix a number of functional and security issues. This patch consists of work done by the following folks: - Jason A. Donenfeld <Jason@zx2c4.com> - Matt Dunwoodie <ncon@noconroy.net> - Kyle Evans <kevans@FreeBSD.org> Notable changes include: - Packets are now correctly staged for processing once the handshake has completed, resulting in less packet loss in the interim. - Various race conditions have been resolved, particularly w.r.t. socket and packet lifetime (panics) - Various tests have been added to assure correct functionality and tooling conformance - Many security issues have been addressed - if_wg now maintains jail-friendly semantics: sockets are created in the interface's home vnet so that it can act as the sole network connection for a jail - if_wg no longer fails to remove peer allowed-ips of 0.0.0.0/0 - if_wg now exports via ioctl a format that is future proof and complete. It is additionally supported by the upstream wireguard-tools (which we plan to merge in to base soon) - if_wg now conforms to the WireGuard protocol and is more closely aligned with security auditing guidelines Note that the driver has been rebased away from using iflib. iflib poses a number of challenges for a cloned device trying to operate in a vnet that are non-trivial to solve and adds complexity to the implementation for little gain. The crypto implementation that was previously added to the tree was a super complex integration of what previously appeared in an old out of tree Linux module, which has been reduced to crypto.c containing simple boring reference implementations. This is part of a near-to-mid term goal to work with FreeBSD kernel crypto folks and take advantage of or improve accelerated crypto already offered elsewhere. There's additional test suite effort underway out-of-tree taking advantage of the aforementioned jail-friendly semantics to test a number of real-world topologies, based on netns.sh. Also note that this is still a work in progress; work going further will be much smaller in nature. MFC after: 1 month (maybe)
Diffstat (limited to 'sys/kern')
-rw-r--r--sys/kern/kern_jail.c1
-rw-r--r--sys/kern/uipc_socket.c11
-rw-r--r--sys/kern/uipc_syscalls.c4
3 files changed, 13 insertions, 3 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index b5c8f6ebf9be..30499dce729c 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3433,6 +3433,7 @@ prison_priv_check(struct ucred *cred, int priv)
case PRIV_NET_GIF:
case PRIV_NET_SETIFVNET:
case PRIV_NET_SETIFFIB:
+ case PRIV_NET_WG:
/*
* 802.11-related privileges.
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 7f06b51cf096..eb748928cd91 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -851,6 +851,17 @@ sopeeloff(struct socket *head)
#endif /* SCTP */
int
+sogetsockaddr(struct socket *so, struct sockaddr **nam)
+{
+ int error;
+
+ CURVNET_SET(so->so_vnet);
+ error = (*so->so_proto->pr_usrreqs->pru_sockaddr)(so, nam);
+ CURVNET_RESTORE();
+ return (error);
+}
+
+int
sobind(struct socket *so, struct sockaddr *nam, struct thread *td)
{
int error;
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 23fae343924a..b9c2630561cb 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1386,9 +1386,7 @@ kern_getsockname(struct thread *td, int fd, struct sockaddr **sa,
return (error);
so = fp->f_data;
*sa = NULL;
- CURVNET_SET(so->so_vnet);
- error = (*so->so_proto->pr_usrreqs->pru_sockaddr)(so, sa);
- CURVNET_RESTORE();
+ error = sogetsockaddr(so, sa);
if (error != 0)
goto bad;
if (*sa == NULL)