Skip to content

networkd:wpa_supplicant: driver fallback to nl80211 and/or wext (LP: #1814012)#240

Merged
slyon merged 4 commits intocanonical:mainfrom
kees:fallback
Oct 21, 2021
Merged

networkd:wpa_supplicant: driver fallback to nl80211 and/or wext (LP: #1814012)#240
slyon merged 4 commits intocanonical:mainfrom
kees:fallback

Conversation

@kees
Copy link
Copy Markdown
Contributor

@kees kees commented Oct 12, 2021
edited
Loading

Description

Adds tests to check the generated content of the wpa_supplicant .service files.

Fixes non-wired wpa_supplicant .service definition to use correct driver fallback list:

The default behavior for wpa_supplicant under systemd is to try both
nl80211 and wext drivers[1]. However, netplan was not specifying the
the same configuration, so wext devices had no way to be configured[2].

[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012

Signed-off-by: Kees Cook kees@ubuntu.com

Checklist

  • Runs make check successfully.
  • Retains 100% code coverage (make check-coverage).
  • New/changed keys in YAML format are documented.
  • (Optional) Adds example YAML for new feature.
  • (Optional) Closes an open bug in Launchpad.

@codecov-commenter
Copy link
Copy Markdown

codecov-commenter commented Oct 12, 2021
edited
Loading

Codecov Report

Merging #240 (6cf1304) into main (87c5b04) will increase coverage by 0.00%.
The diff coverage is 100.00%.

Impacted file tree graph

@@           Coverage Diff           @@
##             main     #240   +/-   ##
=======================================
  Coverage   99.10%   99.10%           
=======================================
  Files          58       58           
  Lines        9792     9802   +10     
=======================================
+ Hits         9704     9714   +10     
  Misses         88       88
Impacted Files Coverage Δ
src/networkd.c 100.00% <100.00%> (ø)
tests/generator/base.py 100.00% <100.00%> (ø)
tests/generator/test_auth.py 100.00% <100.00%> (ø)
tests/generator/test_wifis.py 100.00% <100.00%> (ø)

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 87c5b04...6cf1304. Read the comment docs.

schopin-pro
schopin-pro reviewed Oct 13, 2021
View reviewed changes
Comment thread src/networkd.c
slyon
slyon reviewed Oct 13, 2021
View reviewed changes
Comment thread tests/generator/test_auth.py Outdated
kees added 3 commits October 13, 2021 08:26
@kees
networkd: Add missing umask(022) for wpa_supplicant .service generator
76f9430 
While expanding the generator tests, I noticed that the .service files
being generated were being written world-writable (mode 0666). It seems
only the wpa_supplicant .service generator was missing the umask(022)
call used everywhere else (but nothing was testing for this).

Luckily it seems that netplan when running for real uses a umask of 022
so .service files are (accidentally) not currently be written with mode
0666 in production that I could find.

Add missing umask(022) call so even if the running umask breaks,
the files won't be world-writable (which would likely lead to a local
privilege escalation vulnerability for any systems configuring a "wifis"
netplan section).

Signed-off-by: Kees Cook <kees@ubuntu.com>
@kees
tests: Check contents of .service file for wpa_supplicant
2140c51 
There was no content checking of the generated wpa_supplicant .service
files. Add a templated check for this, leaving the '-D' option
open-coded here, to be changed with the next patch.

Signed-off-by: Kees Cook <kees@ubuntu.com>
@kees
wifis: Specify wpa_supplicant driver fallback
cf8bf29 
The default behavior for wpa_supplicant under systemd is to try both
nl80211 and wext drivers[1]. However, netplan was not specifying the
same configuration, so wext devices had no way to be configured[2] by
netplan.

Add -Dnl80211,wext to the wpa_supplicant generated .service file and
update tests accordingly.

[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012

Signed-off-by: Kees Cook <kees@ubuntu.com>
@kees
Copy link
Copy Markdown
Contributor Author

kees commented Oct 14, 2021

Is anything else needed for this series to be accepted? Thanks!

slyon
slyon approved these changes Oct 20, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@slyon slyon left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you Kees for your contribution and for providing this workaround to wpa_supplicant.
LGTM!

But, how does your proposal here change the story? https://salsa.debian.org/debian/wpa/-/commit/50a3427f45214628dcd29ca9e58f9796bca13b79 Do we still want to get it landed in netplan, or do we just wait for the updated wpa_supplicant package (that already landed in Ubuntu Jammy as of a few hours ago).

Maybe we just want the "umask" change in this case?

@kees
Copy link
Copy Markdown
Contributor Author

kees commented Oct 20, 2021
edited
Loading

It doesn't change anything, since netplan may be used on older wpa-supplecant, etc.

@slyon slyon changed the title Fallback networkd:wpa_supplicant: driver fallback to nl80211 and/or wext (LP: #1814012) Oct 21, 2021
@slyon slyon merged commit d4c713d into canonical:main Oct 21, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@schopin-pro schopin-pro schopin-pro left review comments

@slyon slyon slyon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kees @codecov-commenter @slyon @schopin-pro