mirror of
https://github.com/Telecominfraproject/wlan-ap.git
synced 2025-10-29 09:32:34 +00:00
hostapd: backport ujail/hostapd fix
This is currently breaking interactive cli support. Fixes: WIFI-5814 Signed-off-by: John Crispin <john@phrozen.org>
This commit is contained in:
John Crispin
@@ -0,0 +1,91 @@
|
|||||||
|
From bbd31470429134c23f593a49c02d5413dcba352f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Mentovai <mark@moxienet.com>
|
||||||
|
Date: Tue, 23 Nov 2021 12:28:55 -0500
|
||||||
|
Subject: [PATCH] hostapd: allow hostapd under ujail to communicate with
|
||||||
|
hostapd_cli
|
||||||
|
|
||||||
|
When procd-ujail is available, 1f785383875a runs hostapd as user
|
||||||
|
"network", with only limited additional capabilities (CAP_NET_ADMIN and
|
||||||
|
CAP_NET_RAW).
|
||||||
|
|
||||||
|
hostapd_cli (CONFIG_PACKAGE_hostapd-utils) communicates with hostapd
|
||||||
|
over a named UNIX-domain socket. hostapd_cli is responsible for creating
|
||||||
|
this socket at /tmp/wpa_ctrl_$pid_$counter. Since it typically runs as
|
||||||
|
root, this endpoint is normally created with uid root, gid root, mode
|
||||||
|
0755. As a result, hostapd running as uid network is able to receive
|
||||||
|
control messages sent through this interface, but is not able to respond
|
||||||
|
to them. If debug-level logging is enabled (CONFIG_WPA_MSG_MIN_PRIORITY
|
||||||
|
<= 2 at build, and log_level <= 2 in /etc/config/wireless wifi-device),
|
||||||
|
this message will appear from hostapd:
|
||||||
|
|
||||||
|
CTRL: sendto failed: Permission denied
|
||||||
|
|
||||||
|
As a fix, hostapd_cli should create the socket node in the filesystem
|
||||||
|
with uid network, gid network, mode 0770. This borrows the presently
|
||||||
|
Android-only strategy already in hostapd intended to solve the same
|
||||||
|
problem on Android.
|
||||||
|
|
||||||
|
If procd-ujail is not available and hostapd falls back to running as
|
||||||
|
root, it will still be able to read from and write to the socket even if
|
||||||
|
the node in the filesystem has been restricted to the network user and
|
||||||
|
group. This matches the logic in
|
||||||
|
package/network/services/hostapd/files/wpad.init, which sets the uid and
|
||||||
|
gid of /var/run/hostapd to network regardless of whether procd-ujail is
|
||||||
|
available.
|
||||||
|
|
||||||
|
As it appears that the "network" user and group are statically allocated
|
||||||
|
uid 101 and gid 101, respectively, per
|
||||||
|
package/base-files/files/etc/passwd and USERID in
|
||||||
|
package/network/services/hostapd/Makefile, this patch also uses a
|
||||||
|
constant 101 for the uid and gid.
|
||||||
|
|
||||||
|
Signed-off-by: Mark Mentovai <mark@moxienet.com>
|
||||||
|
[refreshed patch]
|
||||||
|
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
||||||
|
---
|
||||||
|
.../610-hostapd_cli_ujail_permission.patch | 33 +++++++++++++++++++
|
||||||
|
1 file changed, 33 insertions(+)
|
||||||
|
create mode 100644 package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch
|
||||||
|
|
||||||
|
diff --git a/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch b/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000000..a03fcc9f92
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch
|
||||||
|
@@ -0,0 +1,33 @@
|
||||||
|
+--- a/src/common/wpa_ctrl.c
|
||||||
|
++++ b/src/common/wpa_ctrl.c
|
||||||
|
+@@ -135,7 +135,7 @@ try_again:
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+ tries++;
|
||||||
|
+-#ifdef ANDROID
|
||||||
|
++
|
||||||
|
+ /* Set client socket file permissions so that bind() creates the client
|
||||||
|
+ * socket with these permissions and there is no need to try to change
|
||||||
|
+ * them with chmod() after bind() which would have potential issues with
|
||||||
|
+@@ -147,7 +147,7 @@ try_again:
|
||||||
|
+ * operations to allow the response to go through. Those are using the
|
||||||
|
+ * no-deference-symlinks version to avoid races. */
|
||||||
|
+ fchmod(ctrl->s, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
|
||||||
|
+-#endif /* ANDROID */
|
||||||
|
++
|
||||||
|
+ if (bind(ctrl->s, (struct sockaddr *) &ctrl->local,
|
||||||
|
+ sizeof(ctrl->local)) < 0) {
|
||||||
|
+ if (errno == EADDRINUSE && tries < 2) {
|
||||||
|
+@@ -165,7 +165,11 @@ try_again:
|
||||||
|
+ return NULL;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+-#ifdef ANDROID
|
||||||
|
++#ifndef ANDROID
|
||||||
|
++ /* Set group even if we do not have privileges to change owner */
|
||||||
|
++ lchown(ctrl->local.sun_path, -1, 101);
|
||||||
|
++ lchown(ctrl->local.sun_path, 101, 101);
|
||||||
|
++#else
|
||||||
|
+ /* Set group even if we do not have privileges to change owner */
|
||||||
|
+ lchown(ctrl->local.sun_path, -1, AID_WIFI);
|
||||||
|
+ lchown(ctrl->local.sun_path, AID_SYSTEM, AID_WIFI);
|
||||||
|
--
|
||||||
|
2.25.1
|
||||||
|
|
||||||
Reference in New Issue
Block a user