wpa_supplicant: use capabilities in service

srcpkgs/wpa_supplicant/INSTALL.msg

@@ -0,0 +1,4 @@
+The runit service now uses Linux capabilities to run as non-root.
+If you edited `wpa_supplicant.conf` files, you must set
+	`control_interface_group=_wpas`
+there, so that the unprivileged daemon can function properly.

srcpkgs/wpa_supplicant/files/wpa_supplicant.conf

@@ -1,7 +1,7 @@
 # Default configuration file for wpa_supplicant.conf(5).
 
 ctrl_interface=/run/wpa_supplicant
-ctrl_interface_group=wheel
+ctrl_interface_group=_wpas
 eapol_version=1
 ap_scan=1
 fast_reauth=1

srcpkgs/wpa_supplicant/files/wpa_supplicant/run

@@ -7,5 +7,14 @@ else
 	OPTS="${AUTO}"
 fi
 
+# automigrate
+chown -R _wpas:_wpas /etc/wpa_supplicant
+! [ -d /run/wpa_supplicant ] && install -m 700 -g _wpas -o _wpas -d /run/wpa_supplicant
+chown -R _wpas:_wpas /run/wpa_supplicant
+
 exec 2>&1
-exec wpa_supplicant ${OPTS}
+exec setpriv --reuid _wpas --regid _wpas --clear-groups \
+  --ambient-caps -all,+net_admin,+net_raw \
+  --inh-caps -all,+net_admin,+net_raw \
+  --bounding-set -all,+net_admin,+net_raw \
+  --no-new-privs -- wpa_supplicant ${OPTS}

srcpkgs/wpa_supplicant/template

@@ -20,6 +20,7 @@ make_check=no # has no test suite
 build_options="dbus readline"
 build_options_default="dbus readline"
 conf_files="/etc/${pkgname}/${pkgname}.conf"
+system_accounts="_wpas"
 
 pre_build() {
 	cp -f ${FILESDIR}/config .config