Index: sys/net80211/ieee80211_freebsd.h =================================================================== --- sys/net80211/ieee80211_freebsd.h +++ sys/net80211/ieee80211_freebsd.h @@ -42,6 +42,19 @@ #include +/* + * priv(9) NET80211 checks. + */ +struct ieee80211vap; +int ieee80211_priv_check_vap_getkey(u_long, struct ieee80211vap *, + struct ifnet *); +int ieee80211_priv_check_vap_manage(u_long, struct ieee80211vap *, + struct ifnet *); +int ieee80211_priv_check_vap_setmac(u_long, struct ieee80211vap *, + struct ifnet *); +int ieee80211_priv_check_create_vap(u_long, struct ieee80211vap *, + struct ifnet *); + /* * Common state locking definitions. */ Index: sys/net80211/ieee80211_freebsd.c =================================================================== --- sys/net80211/ieee80211_freebsd.c +++ sys/net80211/ieee80211_freebsd.c @@ -75,6 +75,42 @@ static const char wlanname[] = "wlan"; static struct if_clone *wlan_cloner; +/* + * priv(9) NET80211 checks. + * Return 0 if operation is allowed, E* (usually EPERM) otherwise. + */ +int +ieee80211_priv_check_vap_getkey(u_long cmd __unused, + struct ieee80211vap *vap __unused, struct ifnet *ifp __unused) +{ + + return (priv_check(curthread, PRIV_NET80211_VAP_GETKEY)); +} + +int +ieee80211_priv_check_vap_manage(u_long cmd __unused, + struct ieee80211vap *vap __unused, struct ifnet *ifp __unused) +{ + + return (priv_check(curthread, PRIV_NET80211_VAP_MANAGE)); +} + +int +ieee80211_priv_check_vap_setmac(u_long cmd __unused, + struct ieee80211vap *vap __unused, struct ifnet *ifp __unused) +{ + + return (priv_check(curthread, PRIV_NET80211_VAP_SETMAC)); +} + +int +ieee80211_priv_check_create_vap(u_long cmd __unused, + struct ieee80211vap *vap __unused, struct ifnet *ifp __unused) +{ + + return (priv_check(curthread, PRIV_NET80211_CREATE_VAP)); +} + static int wlan_clone_create(struct if_clone *ifc, int unit, caddr_t params) { @@ -83,7 +119,7 @@ struct ieee80211com *ic; int error; - error = priv_check(curthread, PRIV_NET80211_CREATE_VAP); + error = ieee80211_priv_check_create_vap(0, NULL, NULL); if (error) return error; Index: sys/net80211/ieee80211_ioctl.c =================================================================== --- sys/net80211/ieee80211_ioctl.c +++ sys/net80211/ieee80211_ioctl.c @@ -40,7 +40,6 @@ #include #include #include -#include #include #include #include @@ -72,7 +71,8 @@ struct ieee80211_scan_req *); static int -ieee80211_ioctl_getkey(struct ieee80211vap *vap, struct ieee80211req *ireq) +ieee80211_ioctl_getkey(u_long cmd, struct ieee80211vap *vap, + struct ieee80211req *ireq) { struct ieee80211com *ic = vap->iv_ic; struct ieee80211_node *ni; @@ -106,8 +106,7 @@ ik.ik_flags = wk->wk_flags & (IEEE80211_KEY_XMIT | IEEE80211_KEY_RECV); if (wk->wk_keyix == vap->iv_def_txkey) ik.ik_flags |= IEEE80211_KEY_DEFAULT; - /* XXX TODO: move priv check to ieee80211_freebsd.c */ - if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) { + if (ieee80211_priv_check_vap_getkey(cmd, vap, NULL) == 0) { /* NB: only root can read key data */ ik.ik_keyrsc = wk->wk_keyrsc[IEEE80211_NONQOS_TID]; ik.ik_keytsc = wk->wk_keytsc; @@ -823,8 +822,7 @@ return EINVAL; len = (u_int) vap->iv_nw_keys[kid].wk_keylen; /* NB: only root can read WEP keys */ - /* XXX TODO: move priv check to ieee80211_freebsd.c */ - if (priv_check(curthread, PRIV_NET80211_VAP_GETKEY) == 0) { + if (ieee80211_priv_check_vap_getkey(cmd, vap, NULL) == 0) { bcopy(vap->iv_nw_keys[kid].wk_key, tmpkey, len); } else { bzero(tmpkey, len); @@ -917,7 +915,7 @@ ireq->i_val = (vap->iv_flags & IEEE80211_F_NOBRIDGE) == 0; break; case IEEE80211_IOC_WPAKEY: - error = ieee80211_ioctl_getkey(vap, ireq); + error = ieee80211_ioctl_getkey(cmd, vap, ireq); break; case IEEE80211_IOC_CHANINFO: error = ieee80211_ioctl_getchaninfo(vap, ireq); @@ -3632,8 +3630,7 @@ (struct ieee80211req *) data); break; case SIOCS80211: - /* XXX TODO: move priv check to ieee80211_freebsd.c */ - error = priv_check(curthread, PRIV_NET80211_VAP_MANAGE); + error = ieee80211_priv_check_vap_manage(cmd, vap, ifp); if (error == 0) error = ieee80211_ioctl_set80211(vap, cmd, (struct ieee80211req *) data); @@ -3679,8 +3676,7 @@ } break; case SIOCSIFLLADDR: - /* XXX TODO: move priv check to ieee80211_freebsd.c */ - error = priv_check(curthread, PRIV_NET80211_VAP_SETMAC); + error = ieee80211_priv_check_vap_setmac(cmd, vap, ifp); if (error == 0) break; /* Fallthrough */