[yocto] setcap using recipe

Mathieu Allard mathieu.allard at evalan.com
Fri Jul 1 07:03:51 PDT 2016 

Hello,

I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.

The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.


Regards,

Mathieu


----- Original Message -----
From: "Daniel." <danielhilst at gmail.com>
To: "Kumar, Shrawan" <Shrawan.Kumar at harman.com>
Cc: yocto at yoctoproject.org
Sent: Friday, July 1, 2016 3:54:15 PM
Subject: Re: [yocto] setcap using recipe

Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr

2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <Shrawan.Kumar at harman.com>:
> Hello Ross,
>
>
>
> None of the approach is working .  I have attached the  recipe where I am
> trying to execute postinst . It builds successfully , But when I run getcap
> on the target , does not return the set capabilities.
>
>
>
> Help will be highly appreciated .
>
>
>
> Regards
>
> Shrawan
>
> From: Burton, Ross [mailto:ross.burton at intel.com]
> Sent: Friday, June 24, 2016 6:40 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto at yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Looks like using setcap directly is broken currently, there are two
> workarounds:
>
>
>
> 1) use a postinst to invoke setcap on the target instead
>
> 2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
> function that always succeeds) and verify that it fixes the problem for you.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar at harman.com> wrote:
>
> I am using Yocto 2.0.2
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.burton at intel.com]
> Sent: Friday, June 24, 2016 5:56 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto at yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> What version of OE/Yocto are you using?  Old versions of pseudo didn't
> support xattrs at all.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar at harman.com> wrote:
>
> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command
> line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
>                     install -d ${D}${bindir}
>
>                     install -m 0755 helloworld ${D}${bindir}
>
>                     install -d ${D}/lib/systemd/system
>
>                     install -m 0755 hello.service ${D}/lib/systemd/system/
>
>              setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.burton at intel.com]
> Sent: Friday, June 24, 2016 5:09 PM
> To: Kumar, Shrawan
> Cc: yocto at yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar at harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>            install -d ${D}${bindir}
>
>            install -m 0755 helloworld ${D}${bindir}
>
>            install -d ${D}/lib/systemd/system
>
>            install -m 0755 hello.service ${D}/lib/systemd/system/
>
>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
>
>
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>



-- 
"Do or do not. There is no try"
  Yoda Master
-- 
_______________________________________________
yocto mailing list
yocto at yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

More information about the yocto mailing list