[MIR] iwd

Bug #1971739 reported by Sebastien Bacher
This bug affects 1 person
Affects Status Importance Assigned to Milestone
iwd (Ubuntu)
Fix Released

Bug Description

The package iwd is already in Ubuntu universe.
The package iwd build for the architectures it is designed to work on.
It currently builds and works for architetcures: amd64 arm64 armhf ppc64el riscv64 s390x
Link to package https://launchpad.net/ubuntu/+source/iwd

- The package iwd is required in Ubuntu main to replace wpa as our default wireless service

- The package iwd is required in Ubuntu main no later than aug 25 due to feature freeze

- Had 5 security issues in the past
  - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40861
  - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40860
  - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17497
   - https://ubuntu.com/security/CVE-2020-8689
   - https://ubuntu.com/security/CVE-2020-17497

- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does install a service as /lib/systemd/system/iwd.service
  Which has the following security features: PrivateTmp=true, NoNewPrivileges=true, DevicePolicy=closed, ProtectSystem=strict, ProtectHome=yes, ProtectControlGroups=yes, ProtectKernelModules=yes,
- Packages does not open privileged ports (ports < 1024)
- Packages does not contain extensions to security-sensitive software

[Quality assurance - function/usage]
- The package works well right after install

[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has a few bugs reported but nothing critical
  - Ubuntu https://bugs.launchpad.net/ubuntu/+source/iwd/+bug
  - Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=iwd
- The package does not deal with exotic hardware we cannot support

[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
  it makes the build fail, link to build log https://launchpadlibrarian.net/599165412/buildlog_ubuntu-kinetic-amd64.iwd_1.27-1_BUILDING.txt.gz

- The package runs an autopkgtest, and is currently passing on
  amd64 arm64 armhf s390x ppc64el, https://autopkgtest.ubuntu.com/packages/i/iwd
- The package does have not failing autopkgtests right now

[Quality assurance - packaging]
- debian/watch is present and works

- The package has no important lintian warnings

iwd-1.27# lintian --pedantic
W: iwd source: mismatched-override missing-license-paragraph-in-dep5-copyright gpl-2\+ *
W: iwd source: mismatched-override missing-license-paragraph-in-dep5-copyright gpl-3\+ *
W: iwd source: mismatched-override missing-license-paragraph-in-dep5-copyright lgpl-2\.1\+ *
W: iwd source: mismatched-override ... use --no-tag-display-limit to see all (or pipe to a file/program)
W: iwd source: missing-license-paragraph-in-dep5-copyright debian/copyright gpl-2+ (line 57)
W: iwd source: missing-license-paragraph-in-dep5-copyright debian/copyright gpl-3+ (line 153)
W: iwd source: missing-license-paragraph-in-dep5-copyright debian/copyright lgpl-2.1+ (line 33)
W: iwd source: missing-license-text-in-dep5-copyright debian/copyright GPL-2+ (line 236)
W: iwd source: missing-license-text-in-dep5-copyright debian/copyright GPL-3+ (line 239)
W: iwd source: missing-license-text-in-dep5-copyright debian/copyright LGPL-2.1+ (line 262)
W: iwd source: orig-tarball-missing-upstream-signature iwd_1.27.orig.tar.xz
W: iwd source: superfluous-file-pattern debian/copyright */Makefile.in (Files, line 59)
W: iwd source: superfluous-file-pattern debian/copyright */configure (Files, line 35)
W: iwd source: superfluous-file-pattern debian/copyright */ylwrap (Files, line 65)
P: iwd source: very-long-line-length-in-source-file build-aux/libtool.m4 line 6627 is 738 characters long (>512)
P: iwd source: very-long-line-length-in-source-file configure line 10178 is 704 characters long (>512)

- Lintian overrides are not present

- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies

- The package will be installed by default, but does not ask debconf questions

- Packaging and build is easy, https://salsa.debian.org/debian/iwd/-/blob/debian/latest/debian/rules

[UI standards]
- Application is not end-user facing (does not need translation)

- There are further dependencies that are not yet in main, MIR for them
  is at https://bugs.launchpad.net/ubuntu/+source/ell/+bug/1971738

[Standards compliance]
- This package correctly follows FHS and Debian Policy

- desktop-packages is not yet, but will subscribe to the package before promotion

- This does not use static builds
- The package has been built in the archive more recently than the last
  test rebuild

[Background information]
The Package description explains the package well
Upstream Name is iwd
Link to upstream project https://iwd.wiki.kernel.org/

Tags: sec-1040

CVE References

Lukas Märdian (slyon)
Changed in iwd (Ubuntu):
assignee: nobody → Lukas Märdian (slyon)
Revision history for this message
Lukas Märdian (slyon) wrote (last edit ):
Download full text (5.1 KiB)

Review for Package: src:iwd

iwd (iNet Wireless Daemon) is a modern, up-and-coming wireless daemon for Linux. It is written by Intel and aims to replace wpa_supplicant for potential benefits in:
- simplification of network management
- faster network discovery
- fast and reliable roaming
- using less system resources
- using features offered by the Linux kernel
- support for enterprise security methods like EAP
- support for kernel asymmetric key rings and trusted platform modules (TPM)
- support for multiple clients

The package is in pretty good shape overall and has been discussed as a replacement for src:wpa since a long time ago (https://discourse.ubuntu.com/t/call-for-testing-improved-wifi-via-iwd/17795, LP: #1872060 and others). It would be nice to have iwd in main as a replacement for wpa.

MIR team ACK under the constraint to resolve the below listed
required TODOs and as much as possible having a look at the
recommended TODOs.

This does need a security review, so I'll assign ubuntu-security.

List of specific binary packages to be promoted to main: iwd
Specific binary packages built, but NOT to be promoted to main: <None>

- The MIR talks about replacing wpa with iwd, could you please specify the plan for this in more detail, e.g. can we demote src:wpa at the same time as promoting src:iwd?
- The src:iwd package contains an embedded source for "ell", but that is not being used during build.

Required TODOs:
#1: descibe how/when we will be able to demote src:wpa (wpa_supplicant)

#2: Remove src:iwd from the lto-disabled list: LP: #1956950
    And fix the LTO build or put the workaround into the package directly.

#3: get src:ell MIR approved: LP: #1971738

Recommended TODOs:
#4: The package should get a team bug subscriber before being promoted
#5: Double-check if https://bugs.debian.org/1007097 could be a problem
#6: work with upstream/debian to avoid autoconf warnings during build

There is src:wpa (wpa_supplicant) in main, providing similar functionallity. There are some reverse-depends that would need to be adopted, if wpa is demoted:
$ reverse-depends -c main src:wpa
* geoclue-2.0 (for wpasupplicant)
* network-manager (for wpasupplicant)

* ubuntu-desktop [amd64 arm64 armhf ppc64el]
* ubuntu-desktop-minimal [amd64 arm64 armhf ppc64el]
* ubuntu-desktop-raspi [arm64 armhf]
* ubuntu-server-raspi [arm64 armhf]

Packages without architectures listed are reverse-dependencies in: amd64, arm64, armhf, ppc64el, s390x

- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
  more tests now.

- Depends on libell0, proposed for MIR: LP: #1971738

[Embedded sources and static linking]
- no static linking is used
- does not have odd Built-Using entries
- not a go package, no extra constraints to consider in that regard
- No vendoring used (embedded "ell" is unused)

- embedded "ell" source present in ell/, but is not being used (d/rules specifies "--enable-external-ell"

- history of CVEs does not look concerning (two of t...


Changed in iwd (Ubuntu):
status: New → Incomplete
assignee: Lukas Märdian (slyon) → Sebastien Bacher (seb128)
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

This can enter security queue while Desktop considers the remaining open required todos.

Also setting the milestone matching that of ell.

Changed in iwd (Ubuntu):
milestone: none → ubuntu-22.08
assignee: Sebastien Bacher (seb128) → Ubuntu Security Team (ubuntu-security)
Revision history for this message
Lukas Märdian (slyon) wrote :

After consultation with the MIR team, we concluded that this should actually go through security review. Updated my previous comment.

tags: added: sec-1040
Revision history for this message
Neal Gompa (ngompa13) wrote :

Using IWD wouldn't obviate the use of wpa_supplicant, since the latter is used for more than Wi-Fi security. 802.1x authentication can be used for physical networks as well as VPNs and other things, so NetworkManager will use wpa_supplicant for those scenarios.

IWD is pretty much only for Wi-Fi, so you'd wind up needing both in main if you decided to go down the road of using IWD.

Changed in iwd (Ubuntu):
status: Incomplete → In Progress
assignee: Ubuntu Security Team (ubuntu-security) → Camila Camargo de Matos (ccdm94)
Revision history for this message
Sebastien Bacher (seb128) wrote :

> Using IWD wouldn't obviate the use of wpa_supplicant, since the latter is used for more than Wi-Fi security. 802.1x authentication can be used for physical networks as well as VPNs and other things,

iwd includes a component for physical 802.1x authentication called 'ead' but the Debian (and Ubuntu) package isn't currently built with --enable-wired which has been reported to Debian as https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=956457

Revision history for this message
Camila Camargo de Matos (ccdm94) wrote :
Download full text (19.8 KiB)

I reviewed iwd 1.27-1 as checked into kinetic. This shouldn't be considered a full audit but rather a quick gauge of maintainability.

Iwd, the iNet wireless daemon, is a wireless daemon for Linux that aims to implement wireless network functionalities and simplify network configuration, management and use for users. Iwd attempts to achieve this in a simple manner, using Linux Kernel functionalities and not depending on any external libraries, which also allows for optimized resource utilization (storage, runtime memory and link-time costs). It is written by Intel, and is an alternative to wpa_supplicant.

- CVE History: there are two main CVEs associated with this package, CVE-2020-17497 and CVE-2020-8689. According to our prioritization, none of these is a HIGH or a CRITICAL, and according to NVD, they are classified respectively as HIGH and MEDIUM. Upstream seems to have responded to the vulnerability reports quickly, and patches were provided.

- Build-Depends: debhelper-compat, libell-dev, libreadline-dev, libdbus-1-dev, systemd.

- Run-Depends: init-system-helpers (>= 1.51), libc6 (>= 2.34), libell0 (>= 0.50), libreadline8 (>= 6.0), dbus. Focuses on mostly depending on the Linux Kernel and the C runtime library.

- There is a postinst script and there is a postrm script. For the postinst script: creates and enables the iwd systemd service in /etc/init.d. The service seems to not be automatically started upon install, which is confirmed by the fact that the postinst scripts calls update-rc.d with option defaults-disabled. For the postrm script: removes the installed systemd service, reloads systemd and masks the iwd service, in case of a 'remove'; or purges and unmasks it, in case of a 'purge'. No configuration files seem to be removed. The postrm script cleans up what is done by the postinst script.

- File ./etc/init.d/iwd is created during install. This contains the iwd service that is to be run in the system. Permissions for this file are the default for init.d scripts, which seems appropriate. The script sets environment variables which will point to iwd's state directory and configuration directory (places where iwd extracts data from). It creates the directory for the state configurations with 0700 permissions. It starts the daemon. It sets the location of its pid file to /var/run/iwd-sysd2v.pid. The daemon is set to run in the background. It looks like iwd creates the directory it needs everytime it starts running, maybe to guarantee that there will be no errors if any configuration or state file is missing. This could be a positive thing, as iwd sets the permissions of the state directory everytime it starts, which means that once it starts, only whoever is the owner of the file (which we can assume is expected to be root) can edit it, which would avoid issues where there is an attempt to tamper with this file.

- /lib/systemd/system/iwd.service: defines the DBus service net.connman.iwd which has the following network capabilities: CAP_NET_ADMIN, CAP_NET_RAW and CAP_NET_BIND_SERVICE. It sets the StateDirectoryMode to 0700. NoNewPrivileges is set to true, which is a security plus. Sets PrivateTmp, which is useful to secure acce...

Changed in iwd (Ubuntu):
assignee: Camila Camargo de Matos (ccdm94) → nobody
Revision history for this message
Sebastien Bacher (seb128) wrote :

in case it was not clear from my earlier comment, re 1. we can demote wpa this cycle since ead in iwd provides what we need.

on the recommended todo, the Debian bug is under resolution and will be addressed before release and we will work with upstream on the warnings

Revision history for this message
Didier Roche-Tolomelli (didrocks) wrote :

After discussing this in the MIR team meeting, this is an ack as the remaining issues have been fixed or are on track.

Changed in iwd (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Sebastien Bacher (seb128) wrote :

desktop-packages subscribed and package promoted now

Changed in iwd (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Marcos Alano (mhalano) wrote :

Nice. I think the last step is to change the ubuntu-meta packages to depend on iwd instead of wpasupplicant. What do you think?

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.