mirror of
https://git.kernel.org/pub/scm/network/wireless/iwd.git
synced 2025-02-07 04:04:10 +01:00
The iNet Wireless Daemon (iwd) project aims to provide a comprehensive Wi-Fi connectivity solution for Linux based devices. The core goal of the project is to optimize resource utilization: storage, runtime memory and link-time costs.
https://iwd.wiki.kernel.org/
6e44295fe2
This commit hardens the iwd.service.in template file for systemd services. The following is a short explanation for each added directive: +PrivateTmp=true If true, sets up a new file system namespace for the executed processes and mounts private /tmp and /var/tmp directories inside it that is not shared by processes outside of the namespace. +NoNewPrivileges=true If true, ensures that the service process and all its children can never gain new privileges through execve() (e.g. via setuid or setgid bits, or filesystem capabilities). +PrivateDevices=true If true, sets up a new /dev mount for the executed processes and only adds API pseudo devices such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it, but no physical devices such as /dev/sda, system memory /dev/mem, system ports /dev/port and others. +ProtectHome=yes If true, the directories /home, /root and /run/user are made inaccessible and empty for processes invoked by this unit. +ProtectSystem=strict If set to "strict" the entire file system hierarchy is mounted read-only, except for the API file system subtrees /dev, /proc and /sys (protect these directories using PrivateDevices=, ProtectKernelTunables=, ProtectControlGroups=). +ReadWritePaths=/var/lib/iwd/ Sets up a new file system namespace for executed processes. These options may be used to limit access a process might have to the file system hierarchy. Each setting takes a space-separated list of paths relative to the host's root directory (i.e. the system running the service manager). Note that if paths contain symlinks, they are resolved relative to the root directory set with RootDirectory=/RootImage=. Paths listed in ReadWritePaths= are accessible from within the namespace with the same access modes as from outside of it. +ProtectControlGroups=yes If true, the Linux Control Groups (cgroups(7)) hierarchies accessible through /sys/fs/cgroup will be made read-only to all processes of the unit. +ProtectKernelModules=yes If true, explicit module loading will be denied. This allows module load and unload operations to be turned off on modular kernels. For further explanation to all directives see `man systemd.directives` |
||
|---|---|---|
| autotests | ||
| client | ||
| doc | ||
| linux | ||
| monitor | ||
| plugins | ||
| src | ||
| test | ||
| tools | ||
| unit | ||
| wired | ||
| .gitignore | ||
| acinclude.m4 | ||
| AUTHORS | ||
| bootstrap | ||
| bootstrap-configure | ||
| ChangeLog | ||
| configure.ac | ||
| COPYING | ||
| HACKING | ||
| INSTALL | ||
| Makefile.am | ||
| README | ||
| TODO | ||
Wireless daemon for Linux ************************* Copyright (C) 2013-2018 Intel Corporation. All rights reserved. Compilation and installation ============================ In order to compile the source code you need following software packages: - GCC compiler - GNU C library - Embedded Linux library - readline (command line client) To configure run: ./configure --prefix=/usr Configure automatically searches for all required components and packages. To compile and install run: make && make install Embedded Linux library ====================== In order to compile the daemon and control utility the development version of Embedded Linux library is required to be present. The development repositories can be found here: git://git.kernel.org/pub/scm/libs/ell/ell.git https://kernel.googlesource.com/pub/scm/libs/ell/ell.git The build systems requires that the Embedded Linux library source code is available on the same top level directory as the Wireless daemon source code: . |--- ell | |--- ell | `--- unit `--- iwd |--- src `--- client It is not required to build or install Embedded Linux library. The build will happen when building the Wireless daemon and it will then be linked internally. When using --enable-external-ell build option, it is not required that the Embedded Linux library source code is available in the top level directory. Configuration and options ========================= The configuration system provides switches to disable certain build time configuration options which are generally useful and enabled by default: --disable-daemon Disable installation of Wireless daemon By default the Wireless daemon binary iwd is enabled and placed into --libexecdir directory. --disable-client Disable installation of Wireless client utility By default the Wireless client binary iwctl is enabled and place into --bindir directory. --disable-monitor Disable installation of Wireless monitor utility By default the Wireless monitor binary iwmon is enabled and place into --bindir directory. --disable-dbus-policy Disable installation of D-Bus system policy configuration By default the accompanying D-Bus policy file will be installed in the D-Bus data directory. The location of that directory will be automatically detected or can be manually configured via the --with-dbus-datadir option. The D-Bus policy is required for daemons to gain service name ownership and clients to access them. When disabling this option, manual installation of D-Bus polices is required. Note: This option affects all D-Bus policy configurations. --disable-systemd-service Disable installation of systemd service configuration By default the accompanying systemd service unit with D-Bus autostart configuration will be installed. The locations will be automatically detected or can be manually configured via --with-dbus-busdir option and --with-systemd-unitdir option. Using systemd is optional, but highly recommended. When disabling this option, manual installation is required. Note: This option affects all systemd unit setups. When building for a system that wants to use wireless technology, disabling any of the above options makes only limited sense. It may break the general setup and usability for wireless connections. The configuration system provides switches for optional build time features that can be enabled if the functionality is required: --enable-external-ell Enable usage of external Embedded Linux library This allows using an externally installed Embedded Linux library instead of using the internal copy of ELL. Since the public API of Embedded Linux library is not yet stable, the usage of the internal ELL copy is preferred. --enable-sim-hardcoded Enable support for hard coded SIM keys Note: With --disable-daemon this option is ignored --enable-ofono Enable support for oFono SIM authentication Note: With --disable-daemon this option is ignored --enable-wired Enable installation of Ethernet authentication daemon This allows enabling the Ethernet daemon binary ead which is then placed into --libexecdir directory. With this option the support for 802.1x for wired Ethernet connections can be enabled. It provides its own D-Bus policy and systemd configuration. --enable-hwsim Enable installation of Wireless simulation utility This allows enabling the Simulation daemon binary hwsim which is then placed into --bindir directory. With this utility and mac80211_hwim kernel module the simulation of 802.11 networks can be tested. It provides its own D-Bus policy configuration. This utility is only useful for developers and should not be considered for general installation. For this reason no systemd configuration is provided. --enable-tools Enable compilation of various testing utilities This enables building of all utilities that are however not installed and only useful during development. --enable-docs Enable generation of documentation and manual pages Note: This option does not provide any value right now Netlink monitoring ================== The included iwmon utility can be used to monitor the 802.11 subsystem generic netlink commands and events. It uses the nlmon kernel driver from Linux 3.10 and later. On startup network monitor interface named named 'nlmon' is created unless another interface name is given on the command line. If the monitor interface was created by the iwmon utility, it will be removed on program exit. Manually the monitor interface can be created using the following commands: ip link add name nlmon type nlmon ip link set dev nlmon allmulticast on ip link set dev nlmon up It is possible to create netlink traces in PCAP format using tcpdump and then read them via iwmon utility: tcpdump -i nlmon -w trace-file.pcap The resulting PCAP files will use Linux cooked packet format containing packets with ARPHRD_NETLINK type. They can be read using iwmon: iwmon -r trace-file.pcap At this time iwmon is not able to write PCAP files by itself. This might change in future versions. When also the authentication protocol traffic on port 0x888e (ETH_P_PAE) is needed, then a second capture is required: tcpdump -i any 'ether proto 0x888e' -w trace-pae.pcap It is possible to combine these two PCAP files using the mergecap utility and create a combined trace file: mergecap -F pcap -w trace.pcap trace-file.pcap trace-pae.pcap This will create a trace.pcap file that includes the complete picture of nl80211 netlink traffic and authentication messages. All packets are merged in chronological order based on timestamps. Unfortunately it is not possible to instruct tcpdump filtering to do this in a single capture. Post-processing of the PCAP files is required at the moment. Simulating devices ================== The Linux driver mac80211_hwsim provides the functionality to simulate Wireless devices using fake virtual air. Just load the module. modprobe mac80211_hwsim radios=0 Providing the radios=0 is important since otherwise it starts out with two new Wireless radios by default. With the provided hwsim utility it is now possible to add and remove virtual radio devices. hwsim --create --keep hwsim --destroy=<radio-id> The radio id assigned to each virtual device is its internal id used by the Wireless device. Information =========== Mailing list: https://lists.01.org/mailman/listinfo/iwd IRC: irc://irc.freenode.net/#iwd Wiki: https://iwd.wiki.kernel.org/