diff options
| author | Adrian Chadd <adrian@FreeBSD.org> | 2020-07-19 15:16:27 +0000 |
|---|---|---|
| committer | Adrian Chadd <adrian@FreeBSD.org> | 2020-07-19 15:16:27 +0000 |
| commit | f7d38a13a85b74dcedfe3957889edd40ece4cc2f (patch) | |
| tree | 11c875e80756f4d2e423dd4774287840ed2a893d /sys/kern | |
| parent | 4c0fab716a80c362cbeddc317099229379849e86 (diff) | |
| download | src-f7d38a13a85b74dcedfe3957889edd40ece4cc2f.tar.gz src-f7d38a13a85b74dcedfe3957889edd40ece4cc2f.zip | |
[net80211] Add new privileges; restrict what can be done in a jail.
Split the MANAGE privilege into MANAGE, SETMAC and CREATE_VAP.
+ VAP_MANAGE is everything but setting the MAC and creating a VAP.
+ VAP_SETMAC is setting the MAC address of the VAP.
Typically you wouldn't want the jail to be able to modify this.
+ CREATE_VAP is to create a new VAP. Again, you don't want to be doing
this in a jail, but this DOES stop being able to run some corner
cases like Dynamic WDS (DWDS) AP in a jail/vnet. We can figure this
bit out later.
This allows me to run wpa_supplicant in a jail after transferring
a STA VAP into it. I unfortunately can't currently set the wlan
debugging inside the jail; that would be super useful!
Reviewed by: bz
Differential Revision: https://reviews.freebsd.org/D25630
Notes
Notes:
svn path=/head/; revision=363325
Diffstat (limited to 'sys/kern')
| -rw-r--r-- | sys/kern/kern_jail.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c index e09a2b66c64d..81000783265e 100644 --- a/sys/kern/kern_jail.c +++ b/sys/kern/kern_jail.c @@ -3107,10 +3107,8 @@ prison_priv_check(struct ucred *cred, int priv) /* * 802.11-related privileges. */ - case PRIV_NET80211_GETKEY: -#ifdef notyet - case PRIV_NET80211_MANAGE: /* XXX-BZ discuss with sam@ */ -#endif + case PRIV_NET80211_VAP_GETKEY: + case PRIV_NET80211_VAP_MANAGE: #ifdef notyet /* |