From 1501e380bbcb2453cc1ea5af063daba832acc236 Mon Sep 17 00:00:00 2001
From: dkwo <npiazza@disroot.org>
Date: Mon, 24 Feb 2025 10:27:21 -0500
Subject: [PATCH 1/2] wpa_supplicant: run as unprivileged

---
 srcpkgs/wpa_supplicant/INSTALL                |  7 ++++
 srcpkgs/wpa_supplicant/INSTALL.msg            |  7 ++++
 .../wpa_supplicant/files/wpa_supplicant.conf  |  2 +-
 .../wpa_supplicant/files/wpa_supplicant/run   | 13 ++++---
 .../patches/unprivileged-daemon.patch         | 36 +++++++++++++++++++
 srcpkgs/wpa_supplicant/template               |  3 +-
 6 files changed, 61 insertions(+), 7 deletions(-)
 create mode 100644 srcpkgs/wpa_supplicant/INSTALL
 create mode 100644 srcpkgs/wpa_supplicant/INSTALL.msg
 create mode 100644 srcpkgs/wpa_supplicant/patches/unprivileged-daemon.patch

diff --git a/srcpkgs/wpa_supplicant/INSTALL b/srcpkgs/wpa_supplicant/INSTALL
new file mode 100644
index 00000000000000..a87791656dc05d
--- /dev/null
+++ b/srcpkgs/wpa_supplicant/INSTALL
@@ -0,0 +1,7 @@
+# INSTALL
+case "$ACTION" in
+post)
+	chown -R root:_wpas /etc/wpa_supplicant/*
+	chmod 640 /etc/wpa_supplicant/*
+	;;
+esac
diff --git a/srcpkgs/wpa_supplicant/INSTALL.msg b/srcpkgs/wpa_supplicant/INSTALL.msg
new file mode 100644
index 00000000000000..1d259cbeca4cb9
--- /dev/null
+++ b/srcpkgs/wpa_supplicant/INSTALL.msg
@@ -0,0 +1,7 @@
+The runit service now uses Linux capabilities to run as non-root.
+If you edited `wpa_supplicant.conf` files, you must set
+	`control_interface_group=_wpas`
+there, so that the unprivileged daemon can function properly.
+You must also
+	`chown -R _wpas:_wpas /run/wpa_supplicant`
+before restarting the service with a mounted /run.
diff --git a/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf b/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
index 601415320354cb..3d213b67b8b507 100644
--- a/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
+++ b/srcpkgs/wpa_supplicant/files/wpa_supplicant.conf
@@ -1,7 +1,7 @@
 # Default configuration file for wpa_supplicant.conf(5).
 
 ctrl_interface=/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface_group=_wpas
 eapol_version=1
 ap_scan=1
 fast_reauth=1
diff --git a/srcpkgs/wpa_supplicant/files/wpa_supplicant/run b/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
index 0bb6ff43caf912..a698d5013ecc90 100644
--- a/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
+++ b/srcpkgs/wpa_supplicant/files/wpa_supplicant/run
@@ -7,10 +7,13 @@ else
 	OPTS="${AUTO}"
 fi
 
-# revert automigrate
-chown -R root:root /etc/wpa_supplicant
-! [ -d /run/wpa_supplicant ] && install -m 700 -g root -o root -d /run/wpa_supplicant
-chown -R root:root /run/wpa_supplicant
+! [ -d /run/wpa_supplicant ] && install -m 0750 -g _wpas -o _wpas -d /run/wpa_supplicant
+
+_caps=-all,+net_admin,+net_raw
 
 exec 2>&1
-exec wpa_supplicant ${OPTS}
+exec setpriv --reuid _wpas --regid _wpas --clear-groups \
+  --ambient-caps $_caps \
+  --inh-caps $_caps \
+  --bounding-set $_caps \
+  --no-new-privs -- wpa_supplicant ${OPTS}
diff --git a/srcpkgs/wpa_supplicant/patches/unprivileged-daemon.patch b/srcpkgs/wpa_supplicant/patches/unprivileged-daemon.patch
new file mode 100644
index 00000000000000..5556d8c611d37d
--- /dev/null
+++ b/srcpkgs/wpa_supplicant/patches/unprivileged-daemon.patch
@@ -0,0 +1,36 @@
+Author: rnhmjoj <rnhmjoj@inventati.org>
+Date:   Mon Feb 2 08:24:24 2026 +0100
+
+    1. Ensure appropriate group ownership and permissions on the client sockets.
+       Motivation: clients communicate with the daemon by creating "client"
+       sockets; by default this is owned by the user running the client,
+       so it may be inaccessible by the daemon.
+
+diff --git a/src/common/wpa_ctrl.c b/src/common/wpa_ctrl.c
+index 7e197f094..6bfb09111 100644
+--- a/src/common/wpa_ctrl.c
++++ b/src/common/wpa_ctrl.c
+@@ -15,6 +15,8 @@
+ #include <fcntl.h>
+ #include <sys/un.h>
+ #include <unistd.h>
++#include <sys/types.h>
++#include <grp.h>
+ #include <fcntl.h>
+ #endif /* CONFIG_CTRL_IFACE_UNIX */
+ #ifdef CONFIG_CTRL_IFACE_UDP_REMOTE
+@@ -165,6 +167,14 @@ try_again:
+ 		return NULL;
+ 	}
+ 
++	/* Set the client socket owner group to "_wpas"
++	 * and ensure group and user permissions are the same */
++	struct group *grp = getgrnam("_wpas");
++	if (grp != NULL) {
++		lchown(ctrl->local.sun_path, -1, grp->gr_gid);
++		chmod(ctrl->local.sun_path, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
++	}
++
+ #ifdef ANDROID
+ 	/* Set group even if we do not have privileges to change owner */
+ 	lchown(ctrl->local.sun_path, -1, AID_WIFI);
diff --git a/srcpkgs/wpa_supplicant/template b/srcpkgs/wpa_supplicant/template
index cc6c8ab38bf4f4..1a02306da4af53 100644
--- a/srcpkgs/wpa_supplicant/template
+++ b/srcpkgs/wpa_supplicant/template
@@ -1,7 +1,7 @@
 # Template file for 'wpa_supplicant'
 pkgname=wpa_supplicant
 version=2.11
-revision=3
+revision=4
 build_wrksrc="${pkgname}"
 build_style=gnu-makefile
 make_build_args="V=1 BINDIR=/usr/bin"
@@ -20,6 +20,7 @@ make_check=no # has no test suite
 build_options="dbus readline"
 build_options_default="dbus readline"
 conf_files="/etc/${pkgname}/${pkgname}.conf"
+system_accounts="_wpas"
 
 pre_build() {
 	cp -f ${FILESDIR}/config .config

From b20ccbc69c5693d3b730d7559b9ef7013191d613 Mon Sep 17 00:00:00 2001
From: dkwo <npiazza@disroot.org>
Date: Tue, 24 Mar 2026 10:48:27 +0800
Subject: [PATCH 2/2] wpa_supplicant: drop patch

---
 srcpkgs/wpa_supplicant/INSTALL.msg            |  3 ++
 .../patches/unprivileged-daemon.patch         | 36 -------------------
 2 files changed, 3 insertions(+), 36 deletions(-)
 delete mode 100644 srcpkgs/wpa_supplicant/patches/unprivileged-daemon.patch

diff --git a/srcpkgs/wpa_supplicant/INSTALL.msg b/srcpkgs/wpa_supplicant/INSTALL.msg
index 1d259cbeca4cb9..7ddac2a712b249 100644
--- a/srcpkgs/wpa_supplicant/INSTALL.msg
+++ b/srcpkgs/wpa_supplicant/INSTALL.msg
@@ -5,3 +5,6 @@ there, so that the unprivileged daemon can function properly.
 You must also
 	`chown -R _wpas:_wpas /run/wpa_supplicant`
 before restarting the service with a mounted /run.
+Finally, note that due to a bug in wpa_cli, you must run it as
+	`(umask 0 && wpa_cli)`
+for the supplicant to be able to communicate with it.
diff --git a/srcpkgs/wpa_supplicant/patches/unprivileged-daemon.patch b/srcpkgs/wpa_supplicant/patches/unprivileged-daemon.patch
deleted file mode 100644
index 5556d8c611d37d..00000000000000
--- a/srcpkgs/wpa_supplicant/patches/unprivileged-daemon.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-Author: rnhmjoj <rnhmjoj@inventati.org>
-Date:   Mon Feb 2 08:24:24 2026 +0100
-
-    1. Ensure appropriate group ownership and permissions on the client sockets.
-       Motivation: clients communicate with the daemon by creating "client"
-       sockets; by default this is owned by the user running the client,
-       so it may be inaccessible by the daemon.
-
-diff --git a/src/common/wpa_ctrl.c b/src/common/wpa_ctrl.c
-index 7e197f094..6bfb09111 100644
---- a/src/common/wpa_ctrl.c
-+++ b/src/common/wpa_ctrl.c
-@@ -15,6 +15,8 @@
- #include <fcntl.h>
- #include <sys/un.h>
- #include <unistd.h>
-+#include <sys/types.h>
-+#include <grp.h>
- #include <fcntl.h>
- #endif /* CONFIG_CTRL_IFACE_UNIX */
- #ifdef CONFIG_CTRL_IFACE_UDP_REMOTE
-@@ -165,6 +167,14 @@ try_again:
- 		return NULL;
- 	}
- 
-+	/* Set the client socket owner group to "_wpas"
-+	 * and ensure group and user permissions are the same */
-+	struct group *grp = getgrnam("_wpas");
-+	if (grp != NULL) {
-+		lchown(ctrl->local.sun_path, -1, grp->gr_gid);
-+		chmod(ctrl->local.sun_path, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP);
-+	}
-+
- #ifdef ANDROID
- 	/* Set group even if we do not have privileges to change owner */
- 	lchown(ctrl->local.sun_path, -1, AID_WIFI);