Granting capabilities CAP_NET_ADMIN and CAP_NET_RAW allows running
hostapd and wpa_supplicant without root priviledges.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
include $(TOPDIR)/rules.mk
PKG_NAME:=hostapd
PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git
PKG_SOURCE_URL:=http://w1.fi/hostap.git
PKG_SOURCE_PROTO:=git
TITLE:=IEEE 802.1x Authenticator
URL:=http://hostap.epitest.fi/
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
TITLE:=IEEE 802.1x Authenticator
URL:=http://hostap.epitest.fi/
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
+ USERID:=network=101:network=101
PROVIDES:=hostapd
CONFLICTS:=$(HOSTAPD_PROVIDERS)
HOSTAPD_PROVIDERS+=$(1)
PROVIDES:=hostapd
CONFLICTS:=$(HOSTAPD_PROVIDERS)
HOSTAPD_PROVIDERS+=$(1)
SUBMENU:=WirelessAPD
TITLE:=IEEE 802.1x Auth/Supplicant
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
SUBMENU:=WirelessAPD
TITLE:=IEEE 802.1x Auth/Supplicant
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
+ USERID:=network=101:network=101
URL:=http://hostap.epitest.fi/
PROVIDES:=hostapd wpa-supplicant
CONFLICTS:=$(HOSTAPD_PROVIDERS) $(SUPPLICANT_PROVIDERS)
URL:=http://hostap.epitest.fi/
PROVIDES:=hostapd wpa-supplicant
CONFLICTS:=$(HOSTAPD_PROVIDERS) $(SUPPLICANT_PROVIDERS)
TITLE:=WPA Supplicant
URL:=http://hostap.epitest.fi/wpa_supplicant/
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
TITLE:=WPA Supplicant
URL:=http://hostap.epitest.fi/wpa_supplicant/
DEPENDS:=$(DRV_DEPENDS) +hostapd-common +libubus
+ USERID:=network=101:network=101
PROVIDES:=wpa-supplicant
CONFLICTS:=$(SUPPLICANT_PROVIDERS)
SUPPLICANT_PROVIDERS+=$(1)
PROVIDES:=wpa-supplicant
CONFLICTS:=$(SUPPLICANT_PROVIDERS)
SUPPLICANT_PROVIDERS+=$(1)
endef
define Package/hostapd-common/install
endef
define Package/hostapd-common/install
- $(INSTALL_DIR) $(1)/lib/netifd $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d
+ $(INSTALL_DIR) $(1)/etc/capabilities $(1)/etc/rc.button $(1)/etc/hotplug.d/ieee80211 $(1)/etc/init.d $(1)/lib/netifd $(1)/usr/share/acl.d
$(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/netifd/hostapd.sh
$(INSTALL_BIN) ./files/wpad.init $(1)/etc/init.d/wpad
$(INSTALL_BIN) ./files/wps-hotplug.sh $(1)/etc/rc.button/wps
$(INSTALL_DATA) ./files/hostapd.sh $(1)/lib/netifd/hostapd.sh
$(INSTALL_BIN) ./files/wpad.init $(1)/etc/init.d/wpad
$(INSTALL_BIN) ./files/wps-hotplug.sh $(1)/etc/rc.button/wps
+ $(INSTALL_DATA) ./files/wpad_acl.json $(1)/usr/share/acl.d
+ $(INSTALL_DATA) ./files/wpad.json $(1)/etc/capabilities
endef
define Package/hostapd/install
endef
define Package/hostapd/install
start_service() {
if [ -x "/usr/sbin/hostapd" ]; then
mkdir -p /var/run/hostapd
start_service() {
if [ -x "/usr/sbin/hostapd" ]; then
mkdir -p /var/run/hostapd
+ chown network:network /var/run/hostapd
procd_open_instance hostapd
procd_set_param command /usr/sbin/hostapd -s -g /var/run/hostapd/global
procd_set_param respawn 3600 1 0
procd_open_instance hostapd
procd_set_param command /usr/sbin/hostapd -s -g /var/run/hostapd/global
procd_set_param respawn 3600 1 0
+ [ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
+ procd_add_jail hostapd
+ procd_set_param capabilities /etc/capabilities/wpad.json
+ procd_set_param user network
+ procd_set_param group network
+ procd_set_param no_new_privs 1
+ }
procd_close_instance
fi
if [ -x "/usr/sbin/wpa_supplicant" ]; then
mkdir -p /var/run/wpa_supplicant
procd_close_instance
fi
if [ -x "/usr/sbin/wpa_supplicant" ]; then
mkdir -p /var/run/wpa_supplicant
+ chown network:network /var/run/wpa_supplicant
procd_open_instance supplicant
procd_set_param command /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
procd_set_param respawn 3600 1 0
procd_open_instance supplicant
procd_set_param command /usr/sbin/wpa_supplicant -n -s -g /var/run/wpa_supplicant/global
procd_set_param respawn 3600 1 0
+ [ -x /sbin/ujail -a -e /etc/capabilities/wpad.json ] && {
+ procd_add_jail wpa_supplicant
+ procd_set_param capabilities /etc/capabilities/wpad.json
+ procd_set_param user network
+ procd_set_param group network
+ procd_set_param no_new_privs 1
+ }
procd_close_instance
fi
}
procd_close_instance
fi
}
--- /dev/null
+{
+ "bounding": [
+ "CAP_NET_ADMIN",
+ "CAP_NET_RAW"
+ ],
+ "effective": [
+ "CAP_NET_ADMIN",
+ "CAP_NET_RAW"
+ ],
+ "ambient": [
+ "CAP_NET_ADMIN",
+ "CAP_NET_RAW"
+ ],
+ "permitted": [
+ "CAP_NET_ADMIN",
+ "CAP_NET_RAW"
+ ],
+ "inheritable": [
+ "CAP_NET_ADMIN",
+ "CAP_NET_RAW"
+ ]
+}
--- /dev/null
+{
+ "user": "network",
+ "access": {
+ "service": {
+ "methods": [ "event" ]
+ }
+ },
+ "publish": [ "hostapd", "hostapd.*", "wpa_supplicant", "wpa_supplicant.*" ],
+ "send": [ "bss.*", "wps_credentials" ]
+}