hostapd: run as user 'network' if procd-ujail is installed

Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/package/network/services/hostapd/Makefile b/package/network/services/hostapd/Makefile
index a64065db1076a09bd1ab03c68b2d6b23f57a4571..53470a2c02372edff43e628fdc2acba73a6936c4 100644 (file)
--- a/package/network/services/hostapd/Makefile
+++ b/package/network/services/hostapd/Makefile
@@ -7,7 +7,7 @@
 include $(TOPDIR)/rules.mk
 
 PKG_NAME:=hostapd
-PKG_RELEASE:=25
+PKG_RELEASE:=26
 
 PKG_SOURCE_URL:=http://w1.fi/hostap.git
 PKG_SOURCE_PROTO:=git
@@ -145,6 +145,7 @@ define Package/hostapd/Default
   TITLE:=IEEE 802.1x Authenticator
   URL:=http://hostap.epitest.fi/
   DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
+  USERID:=network=101:network=101
   PROVIDES:=hostapd
   CONFLICTS:=$(HOSTAPD_PROVIDERS)
   HOSTAPD_PROVIDERS+=$(1)
@@ -228,6 +229,7 @@ define Package/wpad/Default
   SUBMENU:=WirelessAPD
   TITLE:=IEEE 802.1x Auth/Supplicant
   DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
+  USERID:=network=101:network=101
   URL:=http://hostap.epitest.fi/
   PROVIDES:=hostapd wpa-supplicant
   CONFLICTS:=$(HOSTAPD_PROVIDERS) $(SUPPLICANT_PROVIDERS)
@@ -342,6 +344,7 @@ define Package/wpa-supplicant/Default
   TITLE:=WPA Supplicant
   URL:=http://hostap.epitest.fi/wpa_supplicant/
   DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
+  USERID:=network=101:network=101
   PROVIDES:=wpa-supplicant
   CONFLICTS:=$(SUPPLICANT_PROVIDERS)
   SUPPLICANT_PROVIDERS+=$(1)
@@ -593,10 +596,12 @@ define Install/supplicant
 endef
 
 define Package/hostapd-common/install
-       $(INSTALL_DIR) $(1)/lib/netifd $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d
+       $(INSTALL_DIR) $(1)/etc/capabilities $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d $(1)/lib/netifd  $(1)/usr/share/acl.d
        $(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/netifd/hostapd.sh
        $(INSTALL_BIN) ./files/wpad.init $(1)/etc/init.d/wpad
        $(INSTALL_BIN) ./files/wps-hotplug.sh $(1)/etc/rc.button/wps
+       $(INSTALL_DATA) ./files/wpad_acl.json $(1)/usr/share/acl.d
+       $(INSTALL_DATA) ./files/wpad.json $(1)/etc/capabilities
 endef
 
 define Package/hostapd/install

diff --git a/package/network/services/hostapd/files/wpad.init b/package/network/services/hostapd/files/wpad.init
index 84717967747018f9becf6d11560349ec2949f070..79c5bf1075c8b55bfb67f4f68ff52b12da318002 100644 (file)
--- a/package/network/services/hostapd/files/wpad.init
+++ b/package/network/services/hostapd/files/wpad.init
@@ -9,17 +9,33 @@ NAME=wpad
 start_service() {
        if [ -x "/usr/sbin/hostapd" ]; then
                mkdir -p /var/run/hostapd
+               chown network:network /var/run/hostapd
                procd_open_instance hostapd
                procd_set_param command /usr/sbin/hostapd -s -g /var/run/hostapd/global
                procd_set_param respawn 3600 1 0
+               [ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
+                       procd_add_jail hostapd
+                       procd_set_param capabilities /etc/capabilities/wpad.json
+                       procd_set_param user network
+                       procd_set_param group network
+                       procd_set_param no_new_privs 1
+               }
                procd_close_instance
        fi
 
        if [ -x "/usr/sbin/wpa_supplicant" ]; then
                mkdir -p /var/run/wpa_supplicant
+               chown network:network /var/run/wpa_supplicant
                procd_open_instance supplicant
                procd_set_param command /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
                procd_set_param respawn 3600 1 0
+               [ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
+                       procd_add_jail wpa_supplicant
+                       procd_set_param capabilities /etc/capabilities/wpad.json
+                       procd_set_param user network
+                       procd_set_param group network
+                       procd_set_param no_new_privs 1
+               }
                procd_close_instance
        fi
 }

diff --git a/package/network/services/hostapd/files/wpad.json b/package/network/services/hostapd/files/wpad.json
new file mode 100644 (file)
index 0000000..c73f3d9
--- /dev/null
+++ b/package/network/services/hostapd/files/wpad.json
@@ -0,0 +1,22 @@
+{
+       "bounding": [
+               "CAP_NET_ADMIN",
+               "CAP_NET_RAW"
+       ],
+       "effective": [
+               "CAP_NET_ADMIN",
+               "CAP_NET_RAW"
+       ],
+       "ambient": [
+               "CAP_NET_ADMIN",
+               "CAP_NET_RAW"
+       ],
+       "permitted": [
+               "CAP_NET_ADMIN",
+               "CAP_NET_RAW"
+       ],
+       "inheritable": [
+               "CAP_NET_ADMIN",
+               "CAP_NET_RAW"
+       ]
+}

diff --git a/package/network/services/hostapd/files/wpad_acl.json b/package/network/services/hostapd/files/wpad_acl.json
new file mode 100644 (file)
index 0000000..c77ccd8
--- /dev/null
+++ b/package/network/services/hostapd/files/wpad_acl.json
@@ -0,0 +1,10 @@
+{
+       "user": "network",
+       "access": {
+               "service": {
+                       "methods": [ "event" ]
+               }
+       },
+       "publish": [ "hostapd", "hostapd.*", "wpa_supplicant", "wpa_supplicant.*" ],
+       "send": [ "bss.*", "wps_credentials" ]
+}