diff --git a/patches/0052-hostapd-allow-hostapd-under-ujail-to-communicate-wit.patch b/patches/0052-hostapd-allow-hostapd-under-ujail-to-communicate-wit.patch new file mode 100644 index 000000000..1a6f3e95c --- /dev/null +++ b/patches/0052-hostapd-allow-hostapd-under-ujail-to-communicate-wit.patch @@ -0,0 +1,91 @@ +From bbd31470429134c23f593a49c02d5413dcba352f Mon Sep 17 00:00:00 2001 +From: Mark Mentovai +Date: Tue, 23 Nov 2021 12:28:55 -0500 +Subject: [PATCH] hostapd: allow hostapd under ujail to communicate with + hostapd_cli + +When procd-ujail is available, 1f785383875a runs hostapd as user +"network", with only limited additional capabilities (CAP_NET_ADMIN and +CAP_NET_RAW). + +hostapd_cli (CONFIG_PACKAGE_hostapd-utils) communicates with hostapd +over a named UNIX-domain socket. hostapd_cli is responsible for creating +this socket at /tmp/wpa_ctrl_$pid_$counter. Since it typically runs as +root, this endpoint is normally created with uid root, gid root, mode +0755. As a result, hostapd running as uid network is able to receive +control messages sent through this interface, but is not able to respond +to them. If debug-level logging is enabled (CONFIG_WPA_MSG_MIN_PRIORITY +<= 2 at build, and log_level <= 2 in /etc/config/wireless wifi-device), +this message will appear from hostapd: + +CTRL: sendto failed: Permission denied + +As a fix, hostapd_cli should create the socket node in the filesystem +with uid network, gid network, mode 0770. This borrows the presently +Android-only strategy already in hostapd intended to solve the same +problem on Android. + +If procd-ujail is not available and hostapd falls back to running as +root, it will still be able to read from and write to the socket even if +the node in the filesystem has been restricted to the network user and +group. This matches the logic in +package/network/services/hostapd/files/wpad.init, which sets the uid and +gid of /var/run/hostapd to network regardless of whether procd-ujail is +available. + +As it appears that the "network" user and group are statically allocated +uid 101 and gid 101, respectively, per +package/base-files/files/etc/passwd and USERID in +package/network/services/hostapd/Makefile, this patch also uses a +constant 101 for the uid and gid. + +Signed-off-by: Mark Mentovai +[refreshed patch] +Signed-off-by: Daniel Golle +--- + .../610-hostapd_cli_ujail_permission.patch | 33 +++++++++++++++++++ + 1 file changed, 33 insertions(+) + create mode 100644 package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch + +diff --git a/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch b/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch +new file mode 100644 +index 0000000000..a03fcc9f92 +--- /dev/null ++++ b/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch +@@ -0,0 +1,33 @@ ++--- a/src/common/wpa_ctrl.c +++++ b/src/common/wpa_ctrl.c ++@@ -135,7 +135,7 @@ try_again: ++ return NULL; ++ } ++ tries++; ++-#ifdef ANDROID +++ ++ /* Set client socket file permissions so that bind() creates the client ++ * socket with these permissions and there is no need to try to change ++ * them with chmod() after bind() which would have potential issues with ++@@ -147,7 +147,7 @@ try_again: ++ * operations to allow the response to go through. Those are using the ++ * no-deference-symlinks version to avoid races. */ ++ fchmod(ctrl->s, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP); ++-#endif /* ANDROID */ +++ ++ if (bind(ctrl->s, (struct sockaddr *) &ctrl->local, ++ sizeof(ctrl->local)) < 0) { ++ if (errno == EADDRINUSE && tries < 2) { ++@@ -165,7 +165,11 @@ try_again: ++ return NULL; ++ } ++ ++-#ifdef ANDROID +++#ifndef ANDROID +++ /* Set group even if we do not have privileges to change owner */ +++ lchown(ctrl->local.sun_path, -1, 101); +++ lchown(ctrl->local.sun_path, 101, 101); +++#else ++ /* Set group even if we do not have privileges to change owner */ ++ lchown(ctrl->local.sun_path, -1, AID_WIFI); ++ lchown(ctrl->local.sun_path, AID_SYSTEM, AID_WIFI); +-- +2.25.1 +