Dear All, The aim of my exercise is to apply "setcap " on an executable during rootfs creation. I should be able to view the set capability using getcap utility when this rootfs is mounted on the target. As I said earlier none of the suggested approach is working here.Currently I am qemux86 is my target. Can someone review the attached recipe and help solve the problem statement ?
Regards Shrawan -----Original Message----- From: Daniel. [mailto:danielhi...@gmail.com] Sent: Friday, July 01, 2016 7:54 PM To: Mathieu Allard Cc: Kumar, Shrawan; yocto@yoctoproject.org Subject: Re: [yocto] setcap using recipe Hmmm I see, Well, I didn't note that. And yeah, that command should be ran at first boot, (that feature saved my life a bunch of times :) ) Regards, 2016-07-01 11:03 GMT-03:00 Mathieu Allard <mathieu.all...@evalan.com>: > Hello, > > I think that the main issue here is that the pkg_postinst function runs its > action at the rootfs creation time, and not on the target as advised by Ross. > > The chapter 5.3.16, "post-installation scripts" in the mega-manual offers > some detailed explanations on how to make it run after the first boot. > > > Regards, > > Mathieu > > > ----- Original Message ----- > From: "Daniel." <danielhi...@gmail.com> > To: "Kumar, Shrawan" <shrawan.ku...@harman.com> > Cc: yocto@yoctoproject.org > Sent: Friday, July 1, 2016 3:54:15 PM > Subject: Re: [yocto] setcap using recipe > > Does your target filesystem support it? ubifs doesn't :( > http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr > > 2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <shrawan.ku...@harman.com>: >> Hello Ross, >> >> >> >> None of the approach is working . I have attached the recipe where >> I am trying to execute postinst . It builds successfully , But when I >> run getcap on the target , does not return the set capabilities. >> >> >> >> Help will be highly appreciated . >> >> >> >> Regards >> >> Shrawan >> >> From: Burton, Ross [mailto:ross.bur...@intel.com] >> Sent: Friday, June 24, 2016 6:40 PM >> >> >> To: Kumar, Shrawan >> Cc: yocto@yoctoproject.org >> Subject: Re: [yocto] setcap using recipe >> >> >> >> Looks like using setcap directly is broken currently, there are two >> workarounds: >> >> >> >> 1) use a postinst to invoke setcap on the target instead >> >> 2) test the patch for pseudo that is on this list ([PATCH] Add capset >> pseudo function that always succeeds) and verify that it fixes the problem >> for you. >> >> >> >> Ross >> >> >> >> On 24 June 2016 at 13:31, Kumar, Shrawan <shrawan.ku...@harman.com> wrote: >> >> I am using Yocto 2.0.2 >> >> >> >> Thanks and Regards >> >> Shrawan >> >> >> >> From: Burton, Ross [mailto:ross.bur...@intel.com] >> Sent: Friday, June 24, 2016 5:56 PM >> >> >> To: Kumar, Shrawan >> Cc: yocto@yoctoproject.org >> Subject: Re: [yocto] setcap using recipe >> >> >> >> What version of OE/Yocto are you using? Old versions of pseudo >> didn't support xattrs at all. >> >> >> >> Ross >> >> >> >> On 24 June 2016 at 13:23, Kumar, Shrawan <shrawan.ku...@harman.com> wrote: >> >> Thanks Ross for your quick turn around , I am getting below error >> >> >> >> “Unable le to set CAP_SETFCAP effective capability: Operation not >> permitted.” >> >> >> >> But when I use # sudo setcap cap_net_raw+ep helloworld on command >> line I am able to set the cap. >> >> >> >> To achieve the sudo realization in recipe , I tried as below , but >> no luck…… Can you suggest something here ? >> >> >> >> fakeroot do_install() { >> >> install -d ${D}${bindir} >> >> install -m 0755 helloworld ${D}${bindir} >> >> install -d ${D}/lib/systemd/system >> >> install -m 0755 hello.service >> ${D}/lib/systemd/system/ >> >> setcap cap_net_raw+ep ${D}${bindir}/helloworld >> >> >> >> } >> >> >> >> Thanks and Regards >> >> Shrawan >> >> >> >> From: Burton, Ross [mailto:ross.bur...@intel.com] >> Sent: Friday, June 24, 2016 5:09 PM >> To: Kumar, Shrawan >> Cc: yocto@yoctoproject.org >> Subject: Re: [yocto] setcap using recipe >> >> >> >> Hi, >> >> >> >> On 24 June 2016 at 11:41, Kumar, Shrawan <shrawan.ku...@harman.com> wrote: >> >> Is there a way to add a capability to a binary (cap_net_raw+ep),into >> a recipe? >> >> >> >> Example : >> >> do_install() { >> >> install -d ${D}${bindir} >> >> install -m 0755 helloworld ${D}${bindir} >> >> install -d ${D}/lib/systemd/system >> >> install -m 0755 hello.service ${D}/lib/systemd/system/ >> >> setcap cap_net_raw+ep ${D}${bindir}/helloworld >> >> } >> >> >> >> If yes is this correct approach to achieve the same from package >> recipe itself ? >> >> >> capabilities on files are just extended attributes, so assuming that >> you have a fairly recent Yocto and your host and target filesystems >> support extended attributes, yes this should work. >> >> >> >> Ross >> >> >> >> >> >> >> -- >> _______________________________________________ >> yocto mailing list >> yocto@yoctoproject.org >> https://lists.yoctoproject.org/listinfo/yocto >> > > > > -- > "Do or do not. There is no try" > Yoda Master > -- > _______________________________________________ > yocto mailing list > yocto@yoctoproject.org > https://lists.yoctoproject.org/listinfo/yocto -- "Do or do not. There is no try" Yoda Master
HelloWorld_0.1.bb
Description: HelloWorld_0.1.bb
-- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
