From: Mathieu Allard <mathieu.allard@evalan.com>
To: "Daniel." <danielhilst@gmail.com>
Cc: yocto@yoctoproject.org
Subject: Re: setcap using recipe
Date: Fri, 1 Jul 2016 16:03:51 +0200 (CEST) [thread overview]
Message-ID: <1980608174.6503.1467381831219.JavaMail.zimbra@evalan.com> (raw)
In-Reply-To: <CAF3SDA4+4NhbBskh=PxDGqJP1PFcwFOEHYEK04DOTVv7mKTRrg@mail.gmail.com>
Hello,
I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.
The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.
Regards,
Mathieu
----- Original Message -----
From: "Daniel." <danielhilst@gmail.com>
To: "Kumar, Shrawan" <Shrawan.Kumar@harman.com>
Cc: yocto@yoctoproject.org
Sent: Friday, July 1, 2016 3:54:15 PM
Subject: Re: [yocto] setcap using recipe
Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <Shrawan.Kumar@harman.com>:
> Hello Ross,
>
>
>
> None of the approach is working . I have attached the recipe where I am
> trying to execute postinst . It builds successfully , But when I run getcap
> on the target , does not return the set capabilities.
>
>
>
> Help will be highly appreciated .
>
>
>
> Regards
>
> Shrawan
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 6:40 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Looks like using setcap directly is broken currently, there are two
> workarounds:
>
>
>
> 1) use a postinst to invoke setcap on the target instead
>
> 2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
> function that always succeeds) and verify that it fixes the problem for you.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> I am using Yocto 2.0.2
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 5:56 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> What version of OE/Yocto are you using? Old versions of pseudo didn't
> support xattrs at all.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use # sudo setcap cap_net_raw+ep helloworld on command
> line I am able to set the cap.
>
>
>
> To achieve the sudo realization in recipe , I tried as below , but no
> luck…… Can you suggest something here ?
>
>
>
> fakeroot do_install() {
>
> install -d ${D}${bindir}
>
> install -m 0755 helloworld ${D}${bindir}
>
> install -d ${D}/lib/systemd/system
>
> install -m 0755 hello.service ${D}/lib/systemd/system/
>
> setcap cap_net_raw+ep ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 5:09 PM
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Is there a way to add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
> install -d ${D}${bindir}
>
> install -m 0755 helloworld ${D}${bindir}
>
> install -d ${D}/lib/systemd/system
>
> install -m 0755 hello.service ${D}/lib/systemd/system/
>
> setcap cap_net_raw+ep ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
>
>
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>
--
"Do or do not. There is no try"
Yoda Master
--
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
next prev parent reply other threads:[~2016-07-01 14:11 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-24 10:41 setcap using recipe Kumar, Shrawan
2016-06-24 11:39 ` Burton, Ross
2016-06-24 12:23 ` Kumar, Shrawan
2016-06-24 12:25 ` Burton, Ross
2016-06-24 12:31 ` Kumar, Shrawan
2016-06-24 13:10 ` Burton, Ross
2016-06-27 6:33 ` Kumar, Shrawan
2016-06-29 4:10 ` Kumar, Shrawan
2016-06-29 9:05 ` Burton, Ross
2016-07-01 12:53 ` Kumar, Shrawan
2016-07-01 13:54 ` Daniel.
2016-07-01 14:03 ` Mathieu Allard [this message]
2016-07-01 14:23 ` Daniel.
2016-07-02 9:22 ` Kumar, Shrawan
2016-07-02 9:26 ` Burton, Ross
2016-07-02 10:37 ` Kumar, Shrawan
2016-07-02 14:22 ` Burton, Ross
2016-07-01 15:33 ` Burton, Ross
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1980608174.6503.1467381831219.JavaMail.zimbra@evalan.com \
--to=mathieu.allard@evalan.com \
--cc=danielhilst@gmail.com \
--cc=yocto@yoctoproject.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.