While expanding the generator tests, I noticed that the .service files
being generated were being written world-writable (mode 0666). It seems
only the wpa_supplicant .service generator was missing the umask(022)
call used everywhere else (but nothing was testing for this).

Luckily it seems that netplan when running for real uses a umask of 022
so .service files are (accidentally) not currently be written with mode
0666 in production that I could find.

Add missing umask(022) call so even if the running umask breaks,
the files won't be world-writable (which would likely lead to a local
privilege escalation vulnerability for any systems configuring a "wifis"
netplan section).

Signed-off-by: Kees Cook <[email protected]>

There was no content checking of the generated wpa_supplicant .service
files. Add a templated check for this, leaving the '-D' option
open-coded here, to be changed with the next patch.

Signed-off-by: Kees Cook <[email protected]>

The default behavior for wpa_supplicant under systemd is to try both
nl80211 and wext drivers[1]. However, netplan was not specifying the
same configuration, so wext devices had no way to be configured[2] by
netplan.

Add -Dnl80211,wext to the wpa_supplicant generated .service file and
update tests accordingly.

[1] https://salsa.debian.org/debian/wpa/-/blob/debian/unstable/debian/patches/networkd-driver-fallback.patch
[2] https://bugs.launchpad.net/netplan/+bug/1814012

Signed-off-by: Kees Cook <[email protected]>