diff options
| author | Kees Cook <kees@outflux.net> | 2021-10-21 00:47:26 -0700 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-10-21 09:47:26 +0200 |
| commit | d4c713d76866276fa2484c631141b771043d0294 (patch) | |
| tree | 6c473b02c2dd5b82d9e13cc0e2a6ae27cfac4448 /src | |
| parent | 87c5b041240343d2058d674d0cae0590eab284d3 (diff) | |
networkd:wpa_supplicant: driver fallback to nl80211 and/or wext (LP: #1814012) (#240)
Adds tests to check the generated content of the wpa_supplicant .service files.
Fixes non-wired wpa_supplicant .service definition to use correct driver fallback list:
The default behavior for wpa_supplicant under systemd is to try both
nl80211 and wext drivers[1]. However, netplan was not specifying the
the same configuration, so wext devices had no way to be configured[2].
[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012
Signed-off-by: Kees Cook kees@ubuntu.com
COMMITS:
* networkd: Add missing umask(022) for wpa_supplicant .service generator
While expanding the generator tests, I noticed that the .service files
being generated were being written world-writable (mode 0666). It seems
only the wpa_supplicant .service generator was missing the umask(022)
call used everywhere else (but nothing was testing for this).
Luckily it seems that netplan when running for real uses a umask of 022
so .service files are (accidentally) not currently be written with mode
0666 in production that I could find.
Add missing umask(022) call so even if the running umask breaks,
the files won't be world-writable (which would likely lead to a local
privilege escalation vulnerability for any systems configuring a "wifis"
netplan section).
Signed-off-by: Kees Cook <kees@ubuntu.com>
* tests: Check contents of .service file for wpa_supplicant
There was no content checking of the generated wpa_supplicant .service
files. Add a templated check for this, leaving the '-D' option
open-coded here, to be changed with the next patch.
Signed-off-by: Kees Cook <kees@ubuntu.com>
* wifis: Specify wpa_supplicant driver fallback
The default behavior for wpa_supplicant under systemd is to try both
nl80211 and wext drivers[1]. However, netplan was not specifying the
same configuration, so wext devices had no way to be configured[2] by
netplan.
Add -Dnl80211,wext to the wpa_supplicant generated .service file and
update tests accordingly.
[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012
Signed-off-by: Kees Cook <kees@ubuntu.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/networkd.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/networkd.c b/src/networkd.c index 4012beb..a1bc504 100644 --- a/src/networkd.c +++ b/src/networkd.c @@ -974,6 +974,7 @@ static void write_wpa_unit(const NetplanNetDefinition* def, const char* rootdir) { g_autofree gchar *stdouth = NULL; + mode_t orig_umask; stdouth = systemd_escape(def->id); @@ -989,8 +990,12 @@ write_wpa_unit(const NetplanNetDefinition* def, const char* rootdir) if (def->type != NETPLAN_DEF_TYPE_WIFI) { g_string_append(s, " -Dwired\n"); + } else { + g_string_append(s, " -Dnl80211,wext\n"); } + orig_umask = umask(022); g_string_free_to_file(s, rootdir, path, NULL); + umask(orig_umask); } static gboolean |