Index: sys/kern/kern_jail.c =================================================================== --- sys/kern/kern_jail.c +++ sys/kern/kern_jail.c @@ -3066,11 +3066,14 @@ /* * 802.11-related privileges. + * + * Note PRIV_NET80211_VAP_SETMAC and PRIV_NET80211_CREATE_VAP + * are not available in the jail. (So things that require + * cloning new interfaces like DWDS STA/AP won't work in + * jails.) */ - case PRIV_NET80211_GETKEY: -#ifdef notyet - case PRIV_NET80211_MANAGE: /* XXX-BZ discuss with sam@ */ -#endif + case PRIV_NET80211_VAP_GETKEY: + case PRIV_NET80211_VAP_MANAGE: #ifdef notyet /* Index: sys/net80211/ieee80211_freebsd.c =================================================================== --- sys/net80211/ieee80211_freebsd.c +++ sys/net80211/ieee80211_freebsd.c @@ -41,6 +41,7 @@ #include #include #include +#include #include #include @@ -81,6 +82,10 @@ struct ieee80211vap *vap; struct ieee80211com *ic; int error; + + error = priv_check(curthread, PRIV_NET80211_CREATE_VAP); + if (error) + return error; error = copyin(params, &cp, sizeof(cp)); if (error) Index: sys/net80211/ieee80211_ioctl.c =================================================================== --- sys/net80211/ieee80211_ioctl.c +++ sys/net80211/ieee80211_ioctl.c @@ -106,7 +106,8 @@ ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV); if (wk->wk_keyix == vap->iv_def_txkey) ik.ik_flags |= IEEE80211_KEY_DEFAULT; - if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) { + /* XXX TODO: move priv check to ieee80211_freebsd.c */ + if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) { /* NB: only root can read key data */ ik.ik_keyrsc = wk->wk_keyrsc[IEEE80211_NONQOS_TID]; ik.ik_keytsc = wk->wk_keytsc; @@ -247,6 +248,8 @@ * NB: ie's can be no more than 255 bytes and the max 802.11 * packet is <3Kbytes so we are sure this doesn't overflow * 16-bits; if this is a concern we can drop the ie's. + * + * XXX TODO: should really double check this! */ len = sizeof(struct ieee80211req_scan_result) + se->se_ssid[1] + se->se_meshid[1] + *ielen; @@ -815,7 +818,8 @@ return EINVAL; len = (u_int) vap->iv_nw_keys[kid].wk_keylen; /* NB: only root can read WEP keys */ - if (priv_check(curthread, PRIV_NET80211_GETKEY) == 0) { + /* XXX TODO: move priv check to ieee80211_freebsd.c */ + if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) { bcopy(vap->iv_nw_keys[kid].wk_key, tmpkey, len); } else { bzero(tmpkey, len); @@ -3636,7 +3640,8 @@ (struct ieee80211req *) data); break; case SIOCS80211: - error = priv_check(curthread, PRIV_NET80211_MANAGE); + /* XXX TODO: move priv check to ieee80211_freebsd.c */ + error = priv_check(curthread, PRIV_NET80211_VAP_MANAGE); if (error == 0) error = ieee80211_ioctl_set80211(vap, cmd, (struct ieee80211req *) data); @@ -3681,6 +3686,12 @@ break; } break; + case SIOCSIFLLADDR: + /* XXX TODO: move priv check to ieee80211_freebsd.c */ + error = priv_check(curthread, PRIV_NET80211_VAP_SETMAC); + if (error == 0) + break; + /* Fallthrough */ default: /* * Pass unknown ioctls first to the driver, and if it Index: sys/sys/priv.h =================================================================== --- sys/sys/priv.h +++ sys/sys/priv.h @@ -350,8 +350,10 @@ /* * 802.11-related privileges. */ -#define PRIV_NET80211_GETKEY 440 /* Query 802.11 keys. */ -#define PRIV_NET80211_MANAGE 441 /* Administer 802.11. */ +#define PRIV_NET80211_VAP_GETKEY 440 /* Query VAP 802.11 keys. */ +#define PRIV_NET80211_VAP_MANAGE 441 /* Administer 802.11 VAP */ +#define PRIV_NET80211_VAP_SETMAC 442 /* Set VAP MAC address */ +#define PRIV_NET80211_CREATE_VAP 443 /* Create a new VAP */ /* * Placeholder for AppleTalk privileges, not supported anymore.