| # Copyright 2020 The Chromium OS Authors. All rights reserved. |
| # Use of this source code is governed by a BSD-style license that can be |
| # found in the LICENSE file. |
| |
| description "WPA Supplicant daemon" |
| author "chromium-os-dev@chromium.org" |
| |
| # Default log level for wpa_supplicant. |
| env WPA_DEBUG= |
| |
| # OpenSSL compatibility settings. |
| # TODO(crbug.com/1047146): Drop these stop-gaps after addressing the underlying |
| # problems described in the bug. |
| env OPENSSL_CONF=/etc/ssl/openssl.cnf.compat |
| env OPENSSL_CHROMIUM_SKIP_TRUSTED_PURPOSE_CHECK=1 |
| env OPENSSL_CHROMIUM_GENERATE_METRICS=1 |
| env seccomp_flags='--seccomp-bpf-binary /usr/share/policy/wpa_supplicant.bpf' |
| # Use a canary flag, such that we only enable seccomp once per boot. If it |
| # crashes for some reason (possibly incomplete seccomp filter?), next time |
| # we'll start it without seccomp. |
| # TODO(b/177454191): remove this once stabilized. |
| env seccomp_disable='/run/wpa_supplicant/tried-seccomp' |
| |
| # https://crbug.com/783125: "started boot-services" is relatively early in the |
| # boot process. This is necessary for getting online quickly, a metric which we |
| # optimize for alongside "time to login screen," because networking is a |
| # critical service. |
| start on started boot-services |
| stop on stopping boot-services |
| respawn |
| |
| # make sure the control interface dir exists and has the right owner |
| pre-start script |
| mkdir -p -m 0750 /run/wpa_supplicant |
| chown wpa:wpa /run/wpa_supplicant |
| end script |
| |
| # minijail0 will jail the wpa_supplicant instance it forks off. |
| expect fork |
| |
| # use minijail (drop root, keep CAP_NET_ADMIN|CAP_NET_RAW, set NoNewPrivs) |
| # enable dbus, syslog msgs, wpa_cli over unix domain socket |
| script |
| ARGS="" |
| case ${WPA_DEBUG} in |
| excessive) ARGS='-ddd';; |
| msgdump) ARGS='-dd';; |
| debug) ARGS='-d';; |
| info) ARGS='';; |
| warning) ARGS='-q';; |
| error) ARGS='-qq';; |
| esac |
| if [ -e "${seccomp_disable}" ]; then |
| seccomp_flags='' |
| else |
| echo 1 > "${seccomp_disable}" |
| fi |
| exec minijail0 -u wpa -g wpa -c 3000 -n -i ${seccomp_flags} -- \ |
| /usr/sbin/wpa_supplicant -u -s ${ARGS} -O/run/wpa_supplicant |
| end script |