[yocto] setcap using recipe

Kumar, Shrawan Shrawan.Kumar at harman.com
Sat Jul 2 02:22:09 PDT 2016 

Dear All,

The aim of my exercise is to apply "setcap " on an executable during rootfs creation. 
I should be able to view the set capability using getcap utility when this rootfs is mounted on the target. 
As I said earlier none of the suggested approach is working here.Currently I am qemux86 is my target. 
 
Can someone review the attached recipe and help solve the problem statement  ?



Regards
Shrawan

-----Original Message-----
From: Daniel. [mailto:danielhilst at gmail.com] 
Sent: Friday, July 01, 2016 7:54 PM
To: Mathieu Allard
Cc: Kumar, Shrawan; yocto at yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hmmm I see,

Well, I didn't note that. And yeah, that command should be ran at first boot, (that feature saved my life a bunch of times :) )

Regards,

2016-07-01 11:03 GMT-03:00 Mathieu Allard <mathieu.allard at evalan.com>:
> Hello,
>
> I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.
>
> The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.
>
>
> Regards,
>
> Mathieu
>
>
> ----- Original Message -----
> From: "Daniel." <danielhilst at gmail.com>
> To: "Kumar, Shrawan" <Shrawan.Kumar at harman.com>
> Cc: yocto at yoctoproject.org
> Sent: Friday, July 1, 2016 3:54:15 PM
> Subject: Re: [yocto] setcap using recipe
>
> Does your target filesystem support it? ubifs doesn't :( 
> http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
>
> 2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <Shrawan.Kumar at harman.com>:
>> Hello Ross,
>>
>>
>>
>> None of the approach is working .  I have attached the  recipe where 
>> I am trying to execute postinst . It builds successfully , But when I 
>> run getcap on the target , does not return the set capabilities.
>>
>>
>>
>> Help will be highly appreciated .
>>
>>
>>
>> Regards
>>
>> Shrawan
>>
>> From: Burton, Ross [mailto:ross.burton at intel.com]
>> Sent: Friday, June 24, 2016 6:40 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto at yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Looks like using setcap directly is broken currently, there are two
>> workarounds:
>>
>>
>>
>> 1) use a postinst to invoke setcap on the target instead
>>
>> 2) test the patch for pseudo that is on this list ([PATCH] Add capset 
>> pseudo function that always succeeds) and verify that it fixes the problem for you.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar at harman.com> wrote:
>>
>> I am using Yocto 2.0.2
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.burton at intel.com]
>> Sent: Friday, June 24, 2016 5:56 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto at yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> What version of OE/Yocto are you using?  Old versions of pseudo 
>> didn't support xattrs at all.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar at harman.com> wrote:
>>
>> Thanks Ross for your quick turn around , I am getting below error
>>
>>
>>
>> “Unable le to set CAP_SETFCAP effective capability: Operation not 
>> permitted.”
>>
>>
>>
>> But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command
>> line I am able to set the cap.
>>
>>
>>
>> To achieve the sudo realization  in recipe , I tried  as below , but 
>> no luck…… Can you suggest something here  ?
>>
>>
>>
>> fakeroot do_install() {
>>
>>                     install -d ${D}${bindir}
>>
>>                     install -m 0755 helloworld ${D}${bindir}
>>
>>                     install -d ${D}/lib/systemd/system
>>
>>                     install -m 0755 hello.service 
>> ${D}/lib/systemd/system/
>>
>>              setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>>
>>
>> }
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.burton at intel.com]
>> Sent: Friday, June 24, 2016 5:09 PM
>> To: Kumar, Shrawan
>> Cc: yocto at yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Hi,
>>
>>
>>
>> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar at harman.com> wrote:
>>
>> Is there a way to  add a capability to a binary (cap_net_raw+ep),into 
>> a recipe?
>>
>>
>>
>> Example :
>>
>> do_install() {
>>
>>            install -d ${D}${bindir}
>>
>>            install -m 0755 helloworld ${D}${bindir}
>>
>>            install -d ${D}/lib/systemd/system
>>
>>            install -m 0755 hello.service ${D}/lib/systemd/system/
>>
>>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>> }
>>
>>
>>
>> If yes is this correct approach to achieve the same from  package 
>> recipe itself ?
>>
>>
>> capabilities on files are just extended attributes, so assuming that 
>> you have a fairly recent Yocto and your host and target filesystems 
>> support extended attributes, yes this should work.
>>
>>
>>
>> Ross
>>
>>
>>
>>
>>
>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto at yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
>>
>
>
>
> --
> "Do or do not. There is no try"
>   Yoda Master
> --
> _______________________________________________
> yocto mailing list
> yocto at yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto



--
"Do or do not. There is no try"
  Yoda Master
-------------- next part --------------
A non-text attachment was scrubbed...
Name: HelloWorld_0.1.bb
Type: application/octet-stream
Size: 874 bytes
Desc: HelloWorld_0.1.bb
URL: <http://lists.yoctoproject.org/pipermail/yocto/attachments/20160702/95ba5516/attachment.obj>

More information about the yocto mailing list