hostapd: backport ujail/hostapd fix

This is currently breaking interactive cli support. Fixes: WIFI-5814 Signed-off-by: John Crispin <john@phrozen.org>
2025-10-29 09:32:34 +00:00 · 2021-11-24 10:17:33 +01:00
parent 670f9fee14
commit 7b0ef7f265
1 changed files with 91 additions and 0 deletions
--- a/patches/0052-hostapd-allow-hostapd-under-ujail-to-communicate-wit.patch
+++ b/patches/0052-hostapd-allow-hostapd-under-ujail-to-communicate-wit.patch
@@ -0,0 +1,91 @@
+From bbd31470429134c23f593a49c02d5413dcba352f Mon Sep 17 00:00:00 2001
+From: Mark Mentovai <mark@moxienet.com>
+Date: Tue, 23 Nov 2021 12:28:55 -0500
+Subject: [PATCH] hostapd: allow hostapd under ujail to communicate with
+ hostapd_cli
+
+When procd-ujail is available, 1f785383875a runs hostapd as user
+"network", with only limited additional capabilities (CAP_NET_ADMIN and
+CAP_NET_RAW).
+
+hostapd_cli (CONFIG_PACKAGE_hostapd-utils) communicates with hostapd
+over a named UNIX-domain socket. hostapd_cli is responsible for creating
+this socket at /tmp/wpa_ctrl_$pid_$counter. Since it typically runs as
+root, this endpoint is normally created with uid root, gid root, mode
+0755. As a result, hostapd running as uid network is able to receive
+control messages sent through this interface, but is not able to respond
+to them. If debug-level logging is enabled (CONFIG_WPA_MSG_MIN_PRIORITY
+<= 2 at build, and log_level <= 2 in /etc/config/wireless wifi-device),
+this message will appear from hostapd:
+
+CTRL: sendto failed: Permission denied
+
+As a fix, hostapd_cli should create the socket node in the filesystem
+with uid network, gid network, mode 0770. This borrows the presently
+Android-only strategy already in hostapd intended to solve the same
+problem on Android.
+
+If procd-ujail is not available and hostapd falls back to running as
+root, it will still be able to read from and write to the socket even if
+the node in the filesystem has been restricted to the network user and
+group. This matches the logic in
+package/network/services/hostapd/files/wpad.init, which sets the uid and
+gid of /var/run/hostapd to network regardless of whether procd-ujail is
+available.
+
+As it appears that the "network" user and group are statically allocated
+uid 101 and gid 101, respectively, per
+package/base-files/files/etc/passwd and USERID in
+package/network/services/hostapd/Makefile, this patch also uses a
+constant 101 for the uid and gid.
+
+Signed-off-by: Mark Mentovai <mark@moxienet.com>
+[refreshed patch]
+Signed-off-by: Daniel Golle <daniel@makrotopia.org>
+---
+ .../610-hostapd_cli_ujail_permission.patch    | 33 +++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+ create mode 100644 package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch
+
+diff --git a/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch b/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch
+new file mode 100644
+index 0000000000..a03fcc9f92
+--- /dev/null
+++ b/package/network/services/hostapd/patches/610-hostapd_cli_ujail_permission.patch
+@@ -0,0 +1,33 @@
+--- a/src/common/wpa_ctrl.c
++++ b/src/common/wpa_ctrl.c
+@@ -135,7 +135,7 @@ try_again:
+ 		return NULL;
+ 	}
+ 	tries++;
+-#ifdef ANDROID
++
+ 	/* Set client socket file permissions so that bind() creates the client
+ 	 * socket with these permissions and there is no need to try to change
+ 	 * them with chmod() after bind() which would have potential issues with
+@@ -147,7 +147,7 @@ try_again:
+ 	 * operations to allow the response to go through. Those are using the
+ 	 * no-deference-symlinks version to avoid races. */
+ 	fchmod(ctrl->s, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
+-#endif /* ANDROID */
++
+ 	if (bind(ctrl->s, (struct sockaddr *) &ctrl->local,
+ 		    sizeof(ctrl->local)) < 0) {
+ 		if (errno == EADDRINUSE && tries < 2) {
+@@ -165,7 +165,11 @@ try_again:
+ 		return NULL;
+ 	}
+ 
+-#ifdef ANDROID
++#ifndef ANDROID
++	/* Set group even if we do not have privileges to change owner */
++	lchown(ctrl->local.sun_path, -1, 101);
++	lchown(ctrl->local.sun_path, 101, 101);
++#else
+ 	/* Set group even if we do not have privileges to change owner */
+ 	lchown(ctrl->local.sun_path, -1, AID_WIFI);
+ 	lchown(ctrl->local.sun_path, AID_SYSTEM, AID_WIFI);
+-- 
+2.25.1
+