-
Notifications
You must be signed in to change notification settings - Fork 195
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
networkd:wpa_supplicant: driver fallback to nl80211 and/or wext (LP: #1814012) #240
Conversation
Codecov Report
@@ Coverage Diff @@
## main #240 +/- ##
=======================================
Coverage 99.10% 99.10%
=======================================
Files 58 58
Lines 9792 9802 +10
=======================================
+ Hits 9704 9714 +10
Misses 88 88
Continue to review full report at Codecov.
|
While expanding the generator tests, I noticed that the .service files being generated were being written world-writable (mode 0666). It seems only the wpa_supplicant .service generator was missing the umask(022) call used everywhere else (but nothing was testing for this). Luckily it seems that netplan when running for real uses a umask of 022 so .service files are (accidentally) not currently be written with mode 0666 in production that I could find. Add missing umask(022) call so even if the running umask breaks, the files won't be world-writable (which would likely lead to a local privilege escalation vulnerability for any systems configuring a "wifis" netplan section). Signed-off-by: Kees Cook <kees@ubuntu.com>
There was no content checking of the generated wpa_supplicant .service files. Add a templated check for this, leaving the '-D' option open-coded here, to be changed with the next patch. Signed-off-by: Kees Cook <kees@ubuntu.com>
The default behavior for wpa_supplicant under systemd is to try both nl80211 and wext drivers[1]. However, netplan was not specifying the same configuration, so wext devices had no way to be configured[2] by netplan. Add -Dnl80211,wext to the wpa_supplicant generated .service file and update tests accordingly. [1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch [2] https://bugs.launchpad.net/netplan/+bug/1814012 Signed-off-by: Kees Cook <kees@ubuntu.com>
Is anything else needed for this series to be accepted? Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you Kees for your contribution and for providing this workaround to wpa_supplicant.
LGTM!
But, how does your proposal here change the story? https://salsa.debian.org/debian/wpa/-/commit/50a3427f45214628dcd29ca9e58f9796bca13b79 Do we still want to get it landed in netplan, or do we just wait for the updated wpa_supplicant package (that already landed in Ubuntu Jammy as of a few hours ago).
Maybe we just want the "umask" change in this case?
It doesn't change anything, since netplan may be used on older wpa-supplecant, etc. |
Description
Adds tests to check the generated content of the wpa_supplicant .service files.
Fixes non-wired wpa_supplicant .service definition to use correct driver fallback list:
The default behavior for wpa_supplicant under systemd is to try both
nl80211 and wext drivers[1]. However, netplan was not specifying the
the same configuration, so wext devices had no way to be configured[2].
[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012
Signed-off-by: Kees Cook kees@ubuntu.com
Checklist
make check
successfully.make check-coverage
).