Discussion:
[yocto] setcap using recipe
Kumar, Shrawan
2016-06-24 10:41:49 UTC
Permalink
Hello All,



Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

install -d ${D}${bindir}

install -m 0755 helloworld ${D}${bindir}

install -d ${D}/lib/systemd/system

install -m 0755 hello.service ${D}/lib/systemd/system/

setcap cap_net_raw+ep ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from package recipe itself ?





Thanks and Regards

Shrawan
Burton, Ross
2016-06-24 11:39:23 UTC
Permalink
Hi,
Post by Kumar, Shrawan
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself ?
capabilities on files are just extended attributes, so assuming that you
have a fairly recent Yocto and your host and target filesystems support
extended attributes, yes this should work.

Ross
Kumar, Shrawan
2016-06-24 12:23:02 UTC
Permalink
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use # sudo setcap cap_net_raw+ep helloworld on command line I am able to set the cap.

To achieve the sudo realization in recipe , I tried as below , but no luck

 Can you suggest something here ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:

Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

install -d ${D}${bindir}

install -m 0755 helloworld ${D}${bindir}

install -d ${D}/lib/systemd/system

install -m 0755 hello.service ${D}/lib/systemd/system/

setcap cap_net_raw+ep ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross
Burton, Ross
2016-06-24 12:25:51 UTC
Permalink
What version of OE/Yocto are you using? Old versions of pseudo didn't
support xattrs at all.

Ross
Post by Kumar, Shrawan
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”
But when I use # *sudo* setcap cap_net_raw+ep helloworld on
command line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no
luck

 Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
*Sent:* Friday, June 24, 2016 5:09 PM
*To:* Kumar, Shrawan
*Subject:* Re: [yocto] setcap using recipe
Hi,
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself ?
capabilities on files are just extended attributes, so assuming that you
have a fairly recent Yocto and your host and target filesystems support
extended attributes, yes this should work.
Ross
Kumar, Shrawan
2016-06-24 12:31:42 UTC
Permalink
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com]
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using? Old versions of pseudo didn't support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use # sudo setcap cap_net_raw+ep helloworld on command line I am able to set the cap.

To achieve the sudo realization in recipe , I tried as below , but no luck

 Can you suggest something here ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com<mailto:***@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org<mailto:***@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:

Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

install -d ${D}${bindir}

install -m 0755 helloworld ${D}${bindir}

install -d ${D}/lib/systemd/system

install -m 0755 hello.service ${D}/lib/systemd/system/

setcap cap_net_raw+ep ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross
Burton, Ross
2016-06-24 13:10:22 UTC
Permalink
Looks like using setcap directly is broken currently, there are two
workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset
pseudo function that always succeeds) and verify that it fixes the problem
for you.

Ross
Post by Kumar, Shrawan
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
*Sent:* Friday, June 24, 2016 5:56 PM
*To:* Kumar, Shrawan
*Subject:* Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo didn't
support xattrs at all.
Ross
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”
But when I use # *sudo* setcap cap_net_raw+ep helloworld on
command line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no
luck

 Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
*Sent:* Friday, June 24, 2016 5:09 PM
*To:* Kumar, Shrawan
*Subject:* Re: [yocto] setcap using recipe
Hi,
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself ?
capabilities on files are just extended attributes, so assuming that you
have a fairly recent Yocto and your host and target filesystems support
extended attributes, yes this should work.
Ross
Kumar, Shrawan
2016-06-27 06:33:54 UTC
Permalink
Hello Ross,

Against which version this patch is applicable . I am using pseudo-1.7.4 and could not find capset.c file under “ports/linux/guts/ directory .

Can you please help here ?

Thanks and Regards
Shrawan


From: Burton, Ross [mailto:***@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com<mailto:***@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: ***@yoctoproject.org<mailto:***@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using? Old versions of pseudo didn't support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use # sudo setcap cap_net_raw+ep helloworld on command line I am able to set the cap.

To achieve the sudo realization in recipe , I tried as below , but no luck

 Can you suggest something here ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com<mailto:***@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org<mailto:***@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:

Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

install -d ${D}${bindir}

install -m 0755 helloworld ${D}${bindir}

install -d ${D}/lib/systemd/system

install -m 0755 hello.service ${D}/lib/systemd/system/

setcap cap_net_raw+ep ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross
Kumar, Shrawan
2016-06-29 04:10:47 UTC
Permalink
Hello Ross,

Could your update on my issues ?

Regards
Shrawan

From: yocto-***@yoctoproject.org [mailto:yocto-***@yoctoproject.org] On Behalf Of Kumar, Shrawan
Sent: Monday, June 27, 2016 12:04 PM
To: Burton, Ross
Cc: ***@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hello Ross,

Against which version this patch is applicable . I am using pseudo-1.7.4 and could not find capset.c file under “ports/linux/guts/ directory .

Can you please help here ?

Thanks and Regards
Shrawan


From: Burton, Ross [mailto:***@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org<mailto:***@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com<mailto:***@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: ***@yoctoproject.org<mailto:***@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using? Old versions of pseudo didn't support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use # sudo setcap cap_net_raw+ep helloworld on command line I am able to set the cap.

To achieve the sudo realization in recipe , I tried as below , but no luck

 Can you suggest something here ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com<mailto:***@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org<mailto:***@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:

Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

install -d ${D}${bindir}

install -m 0755 helloworld ${D}${bindir}

install -d ${D}/lib/systemd/system

install -m 0755 hello.service ${D}/lib/systemd/system/

setcap cap_net_raw+ep ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross
Burton, Ross
2016-06-29 09:05:28 UTC
Permalink
Post by Kumar, Shrawan
Could your update on my issues ?
The patch is probably against a newer version. If you're unable to switch
to the latest version of pseudo to debug this then you can run setcap in a
postinst.

Ross
Kumar, Shrawan
2016-07-01 12:53:07 UTC
Permalink
Hello Ross,

None of the approach is working . I have attached the recipe where I am trying to execute postinst . It builds successfully , But when I run getcap on the target , does not return the set capabilities.

Help will be highly appreciated .

Regards
Shrawan
From: Burton, Ross [mailto:***@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com<mailto:***@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: ***@yoctoproject.org<mailto:***@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using? Old versions of pseudo didn't support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use # sudo setcap cap_net_raw+ep helloworld on command line I am able to set the cap.

To achieve the sudo realization in recipe , I tried as below , but no luck

 Can you suggest something here ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com<mailto:***@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: ***@yoctoproject.org<mailto:***@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:

Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

install -d ${D}${bindir}

install -m 0755 helloworld ${D}${bindir}

install -d ${D}/lib/systemd/system

install -m 0755 hello.service ${D}/lib/systemd/system/

setcap cap_net_raw+ep ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross
Daniel.
2016-07-01 13:54:15 UTC
Permalink
Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
Post by Kumar, Shrawan
Hello Ross,
None of the approach is working . I have attached the recipe where I am
trying to execute postinst . It builds successfully , But when I run getcap
on the target , does not return the set capabilities.
Help will be highly appreciated .
Regards
Shrawan
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
function that always succeeds) and verify that it fixes the problem for you.
Ross
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo didn't
support xattrs at all.
Ross
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not
permitted.”
But when I use # sudo setcap cap_net_raw+ep helloworld on command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no
luck…… Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
Hi,
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself ?
capabilities on files are just extended attributes, so assuming that you
have a fairly recent Yocto and your host and target filesystems support
extended attributes, yes this should work.
Ross
--
_______________________________________________
yocto mailing list
https://lists.yoctoproject.org/listinfo/yocto
--
"Do or do not. There is no try"
Yoda Master
--
Mathieu Allard
2016-07-01 14:03:51 UTC
Permalink
Hello,

I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.

The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.


Regards,

Mathieu


----- Original Message -----
From: "Daniel." <***@gmail.com>
To: "Kumar, Shrawan" <***@harman.com>
Cc: ***@yoctoproject.org
Sent: Friday, July 1, 2016 3:54:15 PM
Subject: Re: [yocto] setcap using recipe

Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
Post by Kumar, Shrawan
Hello Ross,
None of the approach is working . I have attached the recipe where I am
trying to execute postinst . It builds successfully , But when I run getcap
on the target , does not return the set capabilities.
Help will be highly appreciated .
Regards
Shrawan
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
function that always succeeds) and verify that it fixes the problem for you.
Ross
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo didn't
support xattrs at all.
Ross
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not
permitted.”
But when I use # sudo setcap cap_net_raw+ep helloworld on command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no
luck…… Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
Hi,
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself ?
capabilities on files are just extended attributes, so assuming that you
have a fairly recent Yocto and your host and target filesystems support
extended attributes, yes this should work.
Ross
--
_______________________________________________
yocto mailing list
https://lists.yoctoproject.org/listinfo/yocto
--
"Do or do not. There is no try"
Yoda Master
--
Daniel.
2016-07-01 14:23:40 UTC
Permalink
Hmmm I see,

Well, I didn't note that. And yeah, that command should be ran at
first boot, (that feature saved my life a bunch of times :) )

Regards,
Post by Mathieu Allard
Hello,
I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.
The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.
Regards,
Mathieu
----- Original Message -----
Sent: Friday, July 1, 2016 3:54:15 PM
Subject: Re: [yocto] setcap using recipe
Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
Post by Kumar, Shrawan
Hello Ross,
None of the approach is working . I have attached the recipe where I am
trying to execute postinst . It builds successfully , But when I run getcap
on the target , does not return the set capabilities.
Help will be highly appreciated .
Regards
Shrawan
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
function that always succeeds) and verify that it fixes the problem for you.
Ross
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo didn't
support xattrs at all.
Ross
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not
permitted.”
But when I use # sudo setcap cap_net_raw+ep helloworld on command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no
luck…… Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
Hi,
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself ?
capabilities on files are just extended attributes, so assuming that you
have a fairly recent Yocto and your host and target filesystems support
extended attributes, yes this should work.
Ross
--
_______________________________________________
yocto mailing list
https://lists.yoctoproject.org/listinfo/yocto
--
"Do or do not. There is no try"
Yoda Master
--
_______________________________________________
yocto mailing list
https://lists.yoctoproject.org/listinfo/yocto
--
"Do or do not. There is no try"
Yoda Master
--
Kumar, Shrawan
2016-07-02 09:22:09 UTC
Permalink
Dear All,

The aim of my exercise is to apply "setcap " on an executable during rootfs creation.
I should be able to view the set capability using getcap utility when this rootfs is mounted on the target.
As I said earlier none of the suggested approach is working here.Currently I am qemux86 is my target.

Can someone review the attached recipe and help solve the problem statement ?



Regards
Shrawan

-----Original Message-----
From: Daniel. [mailto:***@gmail.com]
Sent: Friday, July 01, 2016 7:54 PM
To: Mathieu Allard
Cc: Kumar, Shrawan; ***@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hmmm I see,

Well, I didn't note that. And yeah, that command should be ran at first boot, (that feature saved my life a bunch of times :) )

Regards,
Post by Mathieu Allard
Hello,
I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.
The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.
Regards,
Mathieu
----- Original Message -----
Sent: Friday, July 1, 2016 3:54:15 PM
Subject: Re: [yocto] setcap using recipe
Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
Post by Kumar, Shrawan
Hello Ross,
None of the approach is working . I have attached the recipe where
I am trying to execute postinst . It builds successfully , But when I
run getcap on the target , does not return the set capabilities.
Help will be highly appreciated .
Regards
Shrawan
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset
pseudo function that always succeeds) and verify that it fixes the problem for you.
Ross
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo
didn't support xattrs at all.
Ross
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”
But when I use # sudo setcap cap_net_raw+ep helloworld on command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but
no luck

 Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service
${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Subject: Re: [yocto] setcap using recipe
Hi,
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself ?
capabilities on files are just extended attributes, so assuming that
you have a fairly recent Yocto and your host and target filesystems
support extended attributes, yes this should work.
Ross
--
_______________________________________________
yocto mailing list
https://lists.yoctoproject.org/listinfo/yocto
--
"Do or do not. There is no try"
Yoda Master
--
_______________________________________________
yocto mailing list
https://lists.yoctoproject.org/listinfo/yocto
--
"Do or do not. There is no try"
Yoda Master
Burton, Ross
2016-07-02 09:26:17 UTC
Permalink
Post by Kumar, Shrawan
Can someone review the attached recipe and help solve the problem statement ?
As has been said, you need to ensure the postinst is delayed so it runs on
the target and not on the build host.

http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-recipe-post-installation-scripts

Ross
Kumar, Shrawan
2016-07-02 10:37:56 UTC
Permalink
Hello Ross,

Post-installation scripts run immediately after installing a package on the target or during image creation when a package is included in an image.
Does it not mean that we can set the file attributes(setcap) during image creation ?

I understand the delayed approach of executing it on the target, but my requirement is to do it on the build host. We do not want “setcap” utility to be present on the target.


Regards
Shrawan

From: Burton, Ross [mailto:***@intel.com]
Sent: Saturday, July 02, 2016 2:56 PM
To: Kumar, Shrawan
Cc: Daniel.; Mathieu Allard; ***@yoctoproject.org
Subject: Re: [yocto] setcap using recipe


On 2 July 2016 at 10:22, Kumar, Shrawan <***@harman.com<mailto:***@harman.com>> wrote:
Can someone review the attached recipe and help solve the problem statement ?

As has been said, you need to ensure the postinst is delayed so it runs on the target and not on the build host.

http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-recipe-post-installation-scripts

Ross
Burton, Ross
2016-07-02 14:22:18 UTC
Permalink
Post by Kumar, Shrawan
Post-installation scripts run immediately after installing a package on
the target *or during image creation when a package is included in an
image*.
Does it not mean that we can set the file attributes(setcap) during
image creation ?
I understand the delayed approach of executing it on the target, but my
requirement is to do it on the build host. We do not want “setcap” utility
to be present on the target.
Then I suggest that you test the setcap patch that I pointed to earlier,
you'll likely need the pseudo 1.8 upgrade that Joshua sent last night.
This should ensure that setcap works in the pseudo environment. Then
follow the instructions in image_types.bbclass to ensure that xattrs are
preserved when the image is created, and check your kernel configuration to
confirm that xattrs are supported. I recommend attempting to use fsetattr
on the target directly to verify this. If all the pieces are in place then
they should work.

There's a number of bugs in bugzilla for tracking these issues (#9859 is
the metabug tracking them). Your help in solving this would be much
appreciated!

Ross

Burton, Ross
2016-07-01 15:33:44 UTC
Permalink
Post by Mathieu Allard
I think that the main issue here is that the pkg_postinst function runs
its action at the rootfs creation time, and not on the target as advised by
Ross.
Yes, as I said in the first suggestion you'll need to ensure this runs on
the target (check $D and exit 1 if its set).

Ross
Loading...