From: Joshua G Lock <joshua.g.lock@linux.intel.com>
To: "Kumar, Shrawan" <Shrawan.Kumar@harman.com>,
"yocto@yoctoproject.org" <yocto@yoctoproject.org>
Subject: Re: Access Control List (ACL) permissions attributes not getting preserved in rootfs
Date: Tue, 16 Aug 2016 20:52:08 +0100 [thread overview]
Message-ID: <1471377128.8414.7.camel@linux.intel.com> (raw)
In-Reply-To: <b80a230f7b11491b93bf0dfe9cc93a16@HIBDWSMB05.ad.harman.com>
On Tue, 2016-08-16 at 11:55 +0000, Kumar, Shrawan wrote:
> Thanks Joshua,
>
> "postinst" works!! I could see the attributes set under
> "poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/".
>
> However, I still could not see the attributes after booting qemu. It
> seems during rootfs.ext4 (mkfs.ext4 command )creation when
> "create_image_ext4.sh" is called , again this is getting lost.
>
> Any idea on this ?
I'm not sure why the attribute isn't preserved in the image, it could
be a another missing piece for me to track in the quest to better
support xattr.
There is a way to work around it, though — you can force the postinst
to be run on the target at first boot, as documented in that same
manual section. For example I have a test recipe with:
8<----snip--------
pkg_postinst_${PN}() {
chown foo:foo $D${datadir}/xattrtest/xattrtest
# Force setfacl to run on the target, not at image creation
if [ x"$D" = "x" ]; then
setfacl -m u:bar:r-- $D${datadir}/xattrtest/xattrtest
else
exit 1
fi
}
USERADD_PACKAGES = "${PN}"
USERADD_PARAM_${PN} = "-m foo;-m bar"
RDEPENDS_${PN} += "acl"
8<----snip--------
which results in:
$ getfacl /usr/share/xattrtest/xattrtest
getfacl: Removing leading '/' from absolute path names
# file /usr/share/xattrtest/xattrtest
# owner: foo
# group: foo
user::rw-
user:bar:r--
group::r--
mask::r--
other::r--
The downside here is that your image has to include postinst support
and the acl package (per the RDEPENDS_${PN} line in the snippet above).
Regards,
Joshua
>
> Regards
> Shrawan
>
>
>
>
>
> -----Original Message-----
> From: Joshua G Lock [mailto:joshua.g.lock@linux.intel.com]
> Sent: Friday, August 12, 2016 7:22 PM
> To: Kumar, Shrawan; yocto@yoctoproject.org
> Subject: Re: [yocto] Access Control List (ACL) permissions attributes
> not getting preserved in rootfs
>
> On Fri, 2016-08-12 at 12:33 +0000, Kumar, Shrawan wrote:
> >
> > Hello All,
> >
> > I am using poky “ jethro” , and though one of my recipe, I
> > have
> > created user1 & user2 and then trying to set ACL rules on
> > “helloworld” bin as below :
> >
> >
> > do_install() {
> > install -d ${D}${bindir}
> > install -m 0700 helloworld ${D}${bindir}
> > install -d ${D}/lib/systemd/system
> > install -m 0700 hello.service
> > ${D}/lib/systemd/system/
> > chown user1:group1 ${D}${bindir}/helloworld
> > setfacl -m u:user2:r-- ${D}${bindir}/helloworld
> > }
> >
> >
> > è When I see on the devshell ( bitbake HelloWorld –c devshell) :
> > poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> > minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld , I could see
> > that ACL permissions are set correctly as below :
> > - # file: helloworld
> > - # owner: user1
> > - # group: group1
> > - user::rwx
> > - user:user2:r--
> > - group::---
> > - mask::r--
> > - other::---
> >
> > However, It does not seems to be getting preserved in rootfs. :
> > /poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> > minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld # file:
> > helloworld #
> > owner: user1 # group: group1 user::rwx
> > group::---
> > other::---
> >
> > quick help here would be highly appreciated
>
> This is due to the fact that we don't currently have a mechanism to
> preserve xattr through to image construction[1].
>
> The largest barrier for doig so is that the package managers
> (certainly dpkg and rpm) don't have any support for xattrs in
> packages (an image is populated via the package manager).
>
> To the best of my knowledge the only option for adding some xattr/ACL
> is to use a postinst[2] to set the attributes after the package has
> been installed.
>
> Regards,
>
> Joshua
>
> 1. https://bugzilla.yoctoproject.org/show_bug.cgi?id=9858
> 2. http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#ne
> w-
> recipe-post-installation-scripts
>
next prev parent reply other threads:[~2016-08-16 19:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-12 12:33 Access Control List (ACL) permissions attributes not getting preserved in rootfs Kumar, Shrawan
2016-08-12 13:52 ` Joshua G Lock
2016-08-16 11:55 ` Kumar, Shrawan
2016-08-16 19:52 ` Joshua G Lock [this message]
2016-08-17 4:47 ` Kumar, Shrawan
2016-08-17 14:57 ` Joshua G Lock
2016-10-27 12:55 ` Kumar, Shrawan
2016-11-03 11:20 ` Kumar, Shrawan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471377128.8414.7.camel@linux.intel.com \
--to=joshua.g.lock@linux.intel.com \
--cc=Shrawan.Kumar@harman.com \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.