[yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs
Joshua G Lock
joshua.g.lock at linux.intel.com
Tue Aug 16 12:52:08 PDT 2016
On Tue, 2016-08-16 at 11:55 +0000, Kumar, Shrawan wrote:
> Thanks Joshua,
>
> "postinst" works!! I could see the attributes set under
> "poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/".
>
> However, I still could not see the attributes after booting qemu. It
> seems during rootfs.ext4 (mkfs.ext4 command )creation when
> "create_image_ext4.sh" is called , again this is getting lost.
>
> Any idea on this ?
I'm not sure why the attribute isn't preserved in the image, it could
be a another missing piece for me to track in the quest to better
support xattr.
There is a way to work around it, though — you can force the postinst
to be run on the target at first boot, as documented in that same
manual section. For example I have a test recipe with:
8<----snip--------
pkg_postinst_${PN}() {
chown foo:foo $D${datadir}/xattrtest/xattrtest
# Force setfacl to run on the target, not at image creation
if [ x"$D" = "x" ]; then
setfacl -m u:bar:r-- $D${datadir}/xattrtest/xattrtest
else
exit 1
fi
}
USERADD_PACKAGES = "${PN}"
USERADD_PARAM_${PN} = "-m foo;-m bar"
RDEPENDS_${PN} += "acl"
8<----snip--------
which results in:
$ getfacl /usr/share/xattrtest/xattrtest
getfacl: Removing leading '/' from absolute path names
# file /usr/share/xattrtest/xattrtest
# owner: foo
# group: foo
user::rw-
user:bar:r--
group::r--
mask::r--
other::r--
The downside here is that your image has to include postinst support
and the acl package (per the RDEPENDS_${PN} line in the snippet above).
Regards,
Joshua
>
> Regards
> Shrawan
>
>
>
>
>
> -----Original Message-----
> From: Joshua G Lock [mailto:joshua.g.lock at linux.intel.com]
> Sent: Friday, August 12, 2016 7:22 PM
> To: Kumar, Shrawan; yocto at yoctoproject.org
> Subject: Re: [yocto] Access Control List (ACL) permissions attributes
> not getting preserved in rootfs
>
> On Fri, 2016-08-12 at 12:33 +0000, Kumar, Shrawan wrote:
> >
> > Hello All,
> >
> > I am using poky “ jethro” , and though one of my recipe, I
> > have
> > created user1 & user2 and then trying to set ACL rules on
> > “helloworld” bin as below :
> >
> >
> > do_install() {
> > install -d ${D}${bindir}
> > install -m 0700 helloworld ${D}${bindir}
> > install -d ${D}/lib/systemd/system
> > install -m 0700 hello.service
> > ${D}/lib/systemd/system/
> > chown user1:group1 ${D}${bindir}/helloworld
> > setfacl -m u:user2:r-- ${D}${bindir}/helloworld
> > }
> >
> >
> > è When I see on the devshell ( bitbake HelloWorld –c devshell) :
> > poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> > minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld , I could see
> > that ACL permissions are set correctly as below :
> > - # file: helloworld
> > - # owner: user1
> > - # group: group1
> > - user::rwx
> > - user:user2:r--
> > - group::---
> > - mask::r--
> > - other::---
> >
> > However, It does not seems to be getting preserved in rootfs. :
> > /poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> > minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld # file:
> > helloworld #
> > owner: user1 # group: group1 user::rwx
> > group::---
> > other::---
> >
> > quick help here would be highly appreciated
>
> This is due to the fact that we don't currently have a mechanism to
> preserve xattr through to image construction[1].
>
> The largest barrier for doig so is that the package managers
> (certainly dpkg and rpm) don't have any support for xattrs in
> packages (an image is populated via the package manager).
>
> To the best of my knowledge the only option for adding some xattr/ACL
> is to use a postinst[2] to set the attributes after the package has
> been installed.
>
> Regards,
>
> Joshua
>
> 1. https://bugzilla.yoctoproject.org/show_bug.cgi?id=9858
> 2. http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#ne
> w-
> recipe-post-installation-scripts
>
More information about the yocto
mailing list