path: root/sys/kern
diff options
authorKyle Evans <kevans@FreeBSD.org>2021-03-15 02:25:40 +0000
committerKyle Evans <kevans@FreeBSD.org>2021-03-15 04:52:04 +0000
commit74ae3f3e33b810248da19004c58b3581cd367843 (patch)
treeb17ce98b77a3a1a86e8255dad7861d9c160222a9 /sys/kern
parent3e5e9939cda3b24df37c37da5f195415a894d9fd (diff)
if_wg: import latest fixup work from the wireguard-freebsd project
This is the culmination of about a week of work from three developers to fix a number of functional and security issues. This patch consists of work done by the following folks: - Jason A. Donenfeld <Jason@zx2c4.com> - Matt Dunwoodie <ncon@noconroy.net> - Kyle Evans <kevans@FreeBSD.org> Notable changes include: - Packets are now correctly staged for processing once the handshake has completed, resulting in less packet loss in the interim. - Various race conditions have been resolved, particularly w.r.t. socket and packet lifetime (panics) - Various tests have been added to assure correct functionality and tooling conformance - Many security issues have been addressed - if_wg now maintains jail-friendly semantics: sockets are created in the interface's home vnet so that it can act as the sole network connection for a jail - if_wg no longer fails to remove peer allowed-ips of - if_wg now exports via ioctl a format that is future proof and complete. It is additionally supported by the upstream wireguard-tools (which we plan to merge in to base soon) - if_wg now conforms to the WireGuard protocol and is more closely aligned with security auditing guidelines Note that the driver has been rebased away from using iflib. iflib poses a number of challenges for a cloned device trying to operate in a vnet that are non-trivial to solve and adds complexity to the implementation for little gain. The crypto implementation that was previously added to the tree was a super complex integration of what previously appeared in an old out of tree Linux module, which has been reduced to crypto.c containing simple boring reference implementations. This is part of a near-to-mid term goal to work with FreeBSD kernel crypto folks and take advantage of or improve accelerated crypto already offered elsewhere. There's additional test suite effort underway out-of-tree taking advantage of the aforementioned jail-friendly semantics to test a number of real-world topologies, based on netns.sh. Also note that this is still a work in progress; work going further will be much smaller in nature. MFC after: 1 month (maybe)
Diffstat (limited to 'sys/kern')
3 files changed, 13 insertions, 3 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
index b5c8f6ebf9be..30499dce729c 100644
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3433,6 +3433,7 @@ prison_priv_check(struct ucred *cred, int priv)
+ case PRIV_NET_WG:
* 802.11-related privileges.
diff --git a/sys/kern/uipc_socket.c b/sys/kern/uipc_socket.c
index 7f06b51cf096..eb748928cd91 100644
--- a/sys/kern/uipc_socket.c
+++ b/sys/kern/uipc_socket.c
@@ -851,6 +851,17 @@ sopeeloff(struct socket *head)
#endif /* SCTP */
+sogetsockaddr(struct socket *so, struct sockaddr **nam)
+ int error;
+ CURVNET_SET(so->so_vnet);
+ error = (*so->so_proto->pr_usrreqs->pru_sockaddr)(so, nam);
+ return (error);
sobind(struct socket *so, struct sockaddr *nam, struct thread *td)
int error;
diff --git a/sys/kern/uipc_syscalls.c b/sys/kern/uipc_syscalls.c
index 23fae343924a..b9c2630561cb 100644
--- a/sys/kern/uipc_syscalls.c
+++ b/sys/kern/uipc_syscalls.c
@@ -1386,9 +1386,7 @@ kern_getsockname(struct thread *td, int fd, struct sockaddr **sa,
return (error);
so = fp->f_data;
*sa = NULL;
- CURVNET_SET(so->so_vnet);
- error = (*so->so_proto->pr_usrreqs->pru_sockaddr)(so, sa);
+ error = sogetsockaddr(so, sa);
if (error != 0)
goto bad;
if (*sa == NULL)