[yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs

Kumar, Shrawan Shrawan.Kumar at harman.com
Thu Nov 3 04:20:03 PDT 2016

Hello Team ,

I am trying to set extended attributes using below post inst . I am able to preserve the setcap and smack attributes in the ext4 image. However, I am getting "Invalid argument " when I run getfacl/setfacl in qemu target . As said earlier all the 3 attributes are seen using devshell in the rootfs folder.

pkg_postinst_${PN}() {
    setfacl -m u:user2:r-- $D${bindir}/helloworld
    setcap cap_net_raw+ep  $D${bindir}/helloworld
    chsmack -a "helloWorldAccessLabel" -e "helloWorldExecuteLabel" $D${bindir}/helloworld

When I was using " e2fsprogs_1.42.9.bb the POSIX caps and smack rules were not getting preserved but acl attributes were getting preserved now opposite is happening .

Can somebody help here ? This is bit urgent and I have been struggling for quite some time.

Note :I have set the inode size to be 256 while creating the ext4 image.

Thanks and REgads

-----Original Message-----
From: yocto-bounces at yoctoproject.org [mailto:yocto-bounces at yoctoproject.org] On Behalf Of Kumar, Shrawan
Sent: Thursday, October 27, 2016 6:26 PM
To: Joshua G Lock; yocto at yoctoproject.org
Subject: Re: [yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs

Hello All,

Further update on this issue , migrated to "e2fsprogs_1.43.bb"  from "e2fsprogs_1.42.9.bb" . It is observed that the ACL permission set are visible on dev-shell  but when qemu is launched we get below error :

root at qemux86:#getfacl /usr/bin/helloworld
getfacl: /usr/bin/helloworld: Invalid argument

root at qemux86:# setfacl -m u:user2:r-- /usr/bin/helloworld 
               setfacl: /usr/bin/helloworld: Invalid argument

Thanks and Regards

-----Original Message-----
From: Joshua G Lock [mailto:joshua.g.lock at linux.intel.com]
Sent: Friday, August 12, 2016 7:22 PM
To: Kumar, Shrawan; yocto at yoctoproject.org
Subject: Re: [yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs

On Fri, 2016-08-12 at 12:33 +0000, Kumar, Shrawan wrote:
> Hello All,
> I am  using  poky “ jethro”  , and  though  one of my recipe, I have 
> created user1 & user2 and then trying to set ACL rules  on 
> “helloworld” bin as below :
> do_install() {
>                     install -d ${D}${bindir}
>                     install -m 0700 helloworld ${D}${bindir}
>                     install -d ${D}/lib/systemd/system
>                     install -m 0700 hello.service 
> ${D}/lib/systemd/system/
>                     chown    user1:group1 ${D}${bindir}/helloworld
>                    setfacl -m u:user2:r-- ${D}${bindir}/helloworld }
> è When I see   on the devshell ( bitbake HelloWorld –c devshell)  :
> poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld    , I could see 
> that ACL permissions are set correctly as below :
> -        # file: helloworld
> -        # owner: user1
> -        # group: group1
> -        user::rwx
> -        user:user2:r--
> -        group::---
> -        mask::r--
> -        other::---
> However, It does not seems to be getting preserved in rootfs. :
> /poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld # file: helloworld #
> owner: user1 # group: group1 user::rwx
> group::---
> other::---
> quick help  here would be highly appreciated

This is due to the fact that we don't currently have a mechanism to preserve xattr through to image construction[1].

The largest barrier for doig so is that the package managers (certainly dpkg and rpm) don't have any support for xattrs in packages (an image is populated via the package manager).

To the best of my knowledge the only option for adding some xattr/ACL is to use a postinst[2] to set the attributes after the package has been installed.



1. https://bugzilla.yoctoproject.org/show_bug.cgi?id=9858
2. http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-

yocto mailing list
yocto at yoctoproject.org

More information about the yocto mailing list