setcap using recipe

setcap using recipe

[Kumar, Shrawan]

[-- Attachment #1: Type: text/plain, Size: 543 bytes --]

Hello All,



Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

           install -d ${D}${bindir}

           install -m 0755 helloworld ${D}${bindir}

           install -d ${D}/lib/systemd/system

           install -m 0755 hello.service ${D}/lib/systemd/system/

           setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself ?





Thanks and Regards

Shrawan


[-- Attachment #2: Type: text/html, Size: 3587 bytes --]

Re: setcap using recipe

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 812 bytes --]

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:

> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>            install -d ${D}${bindir}
>
>            install -m 0755 helloworld ${D}${bindir}
>
>            install -d ${D}/lib/systemd/system
>
>            install -m 0755 hello.service ${D}/lib/systemd/system/
>
>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>

capabilities on files are just extended attributes, so assuming that you
have a fairly recent Yocto and your host and target filesystems support
extended attributes, yes this should work.

Ross

[-- Attachment #2: Type: text/html, Size: 1465 bytes --]

Re: setcap using recipe

[Kumar, Shrawan]

[-- Attachment #1: Type: text/plain, Size: 1729 bytes --]

Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… Can you suggest something here  ?

fakeroot do_install() {
                    install -d ${D}${bindir}
                    install -m 0755 helloworld ${D}${bindir}
                    install -d ${D}/lib/systemd/system
                    install -m 0755 hello.service ${D}/lib/systemd/system/
             setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

           install -d ${D}${bindir}

           install -m 0755 helloworld ${D}${bindir}

           install -d ${D}/lib/systemd/system

           install -m 0755 hello.service ${D}/lib/systemd/system/

           setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross

[-- Attachment #2: Type: text/html, Size: 8500 bytes --]

Re: setcap using recipe

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 2088 bytes --]

What version of OE/Yocto are you using?  Old versions of pseudo didn't
support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:

> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use    # *sudo* setcap cap_net_raw+ep  helloworld        on
> command line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
>                     install -d ${D}${bindir}
>
>                     install -m 0755 helloworld ${D}${bindir}
>
>                     install -d ${D}/lib/systemd/system
>
>                     install -m 0755 hello.service ${D}/lib/systemd/system/
>
>              setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> *From:* Burton, Ross [mailto:ross.burton@intel.com]
> *Sent:* Friday, June 24, 2016 5:09 PM
> *To:* Kumar, Shrawan
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>            install -d ${D}${bindir}
>
>            install -m 0755 helloworld ${D}${bindir}
>
>            install -d ${D}/lib/systemd/system
>
>            install -m 0755 hello.service ${D}/lib/systemd/system/
>
>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>

[-- Attachment #2: Type: text/html, Size: 6695 bytes --]

Re: setcap using recipe

[Kumar, Shrawan]

[-- Attachment #1.1: Type: text/plain, Size: 2243 bytes --]

I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com]
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using?  Old versions of pseudo didn't support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… Can you suggest something here  ?

fakeroot do_install() {
                    install -d ${D}${bindir}
                    install -m 0755 helloworld ${D}${bindir}
                    install -d ${D}/lib/systemd/system
                    install -m 0755 hello.service ${D}/lib/systemd/system/
             setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com<mailto:ross.burton@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

           install -d ${D}${bindir}

           install -m 0755 helloworld ${D}${bindir}

           install -d ${D}/lib/systemd/system

           install -m 0755 hello.service ${D}/lib/systemd/system/

           setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross


[-- Attachment #1.2: Type: text/html, Size: 12631 bytes --]

[-- Attachment #2: HelloWorld_0.1.bb --]
[-- Type: application/octet-stream, Size: 793 bytes --]

#
# This file was derived from the 'Hello World!' example recipe in the
# Yocto Project Development Manual.
#

SUMMARY = "Simple helloworld application"
SECTION = "examples"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
inherit systemd 


SRC_URI = "file://helloworld.c \
	file://hello.service "

S = "${WORKDIR}"

do_compile() {
	     ${CC} helloworld.c -o helloworld
}

fakeroot do_install() {
	     install -d ${D}${bindir}
	     install -m 0755 helloworld ${D}${bindir}
	     install -d ${D}/lib/systemd/system
	     install -m 0755 hello.service ${D}/lib/systemd/system/
             setcap cap_net_raw+ep  ${D}${bindir}/helloworld
	    	
}



SYSTEMD_SERVICE_${PN} = "hello.service"

SYSTEMD_AUTO_ENABLE_${PN} = "enable"  

Re: setcap using recipe

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 2795 bytes --]

Looks like using setcap directly is broken currently, there are two
workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset
pseudo function that always succeeds) and verify that it fixes the problem
for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:

> I am using Yocto 2.0.2
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> *From:* Burton, Ross [mailto:ross.burton@intel.com]
> *Sent:* Friday, June 24, 2016 5:56 PM
>
> *To:* Kumar, Shrawan
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] setcap using recipe
>
>
>
> What version of OE/Yocto are you using?  Old versions of pseudo didn't
> support xattrs at all.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use    # *sudo* setcap cap_net_raw+ep  helloworld        on
> command line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
>                     install -d ${D}${bindir}
>
>                     install -m 0755 helloworld ${D}${bindir}
>
>                     install -d ${D}/lib/systemd/system
>
>                     install -m 0755 hello.service ${D}/lib/systemd/system/
>
>              setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> *From:* Burton, Ross [mailto:ross.burton@intel.com]
> *Sent:* Friday, June 24, 2016 5:09 PM
> *To:* Kumar, Shrawan
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>            install -d ${D}${bindir}
>
>            install -m 0755 helloworld ${D}${bindir}
>
>            install -d ${D}/lib/systemd/system
>
>            install -m 0755 hello.service ${D}/lib/systemd/system/
>
>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
>
>

[-- Attachment #2: Type: text/html, Size: 9074 bytes --]

Re: setcap using recipe

[Kumar, Shrawan]

[-- Attachment #1: Type: text/plain, Size: 3139 bytes --]

Hello Ross,

Against which version  this patch is applicable . I am using pseudo-1.7.4  and  could not find capset.c  file  under  “ports/linux/guts/   directory .

Can you please help here  ?

Thanks and Regards
Shrawan


From: Burton, Ross [mailto:ross.burton@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com<mailto:ross.burton@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using?  Old versions of pseudo didn't support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… Can you suggest something here  ?

fakeroot do_install() {
                    install -d ${D}${bindir}
                    install -m 0755 helloworld ${D}${bindir}
                    install -d ${D}/lib/systemd/system
                    install -m 0755 hello.service ${D}/lib/systemd/system/
             setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com<mailto:ross.burton@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

           install -d ${D}${bindir}

           install -m 0755 helloworld ${D}${bindir}

           install -d ${D}/lib/systemd/system

           install -m 0755 hello.service ${D}/lib/systemd/system/

           setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross



[-- Attachment #2: Type: text/html, Size: 16509 bytes --]

Re: setcap using recipe

[Kumar, Shrawan]

[-- Attachment #1: Type: text/plain, Size: 3476 bytes --]

Hello Ross,

Could  your update on my issues ?

Regards
Shrawan

From: yocto-bounces@yoctoproject.org [mailto:yocto-bounces@yoctoproject.org] On Behalf Of Kumar, Shrawan
Sent: Monday, June 27, 2016 12:04 PM
To: Burton, Ross
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hello Ross,

Against which version  this patch is applicable . I am using pseudo-1.7.4  and  could not find capset.c  file  under  “ports/linux/guts/   directory .

Can you please help here  ?

Thanks and Regards
Shrawan


From: Burton, Ross [mailto:ross.burton@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com<mailto:ross.burton@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using?  Old versions of pseudo didn't support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… Can you suggest something here  ?

fakeroot do_install() {
                    install -d ${D}${bindir}
                    install -m 0755 helloworld ${D}${bindir}
                    install -d ${D}/lib/systemd/system
                    install -m 0755 hello.service ${D}/lib/systemd/system/
             setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com<mailto:ross.burton@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

           install -d ${D}${bindir}

           install -m 0755 helloworld ${D}${bindir}

           install -d ${D}/lib/systemd/system

           install -m 0755 hello.service ${D}/lib/systemd/system/

           setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross



[-- Attachment #2: Type: text/html, Size: 18477 bytes --]

Re: setcap using recipe

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 292 bytes --]

On 29 June 2016 at 05:10, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:

> Could  your update on my issues ?
>
>
The patch is probably against a newer version.  If you're unable to switch
to the latest version of pseudo to debug this then you can run setcap in a
postinst.

Ross

[-- Attachment #2: Type: text/html, Size: 818 bytes --]

Re: setcap using recipe

[Kumar, Shrawan]

[-- Attachment #1.1: Type: text/plain, Size: 3181 bytes --]

Hello Ross,

None of the approach is working .  I have attached the  recipe where I am trying to execute postinst . It builds successfully , But when I run getcap on the target , does not return the set capabilities.

Help will be highly appreciated .

Regards
Shrawan
From: Burton, Ross [mailto:ross.burton@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com<mailto:ross.burton@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using?  Old versions of pseudo didn't support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… Can you suggest something here  ?

fakeroot do_install() {
                    install -d ${D}${bindir}
                    install -m 0755 helloworld ${D}${bindir}
                    install -d ${D}/lib/systemd/system
                    install -m 0755 hello.service ${D}/lib/systemd/system/
             setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com<mailto:ross.burton@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

           install -d ${D}${bindir}

           install -m 0755 helloworld ${D}${bindir}

           install -d ${D}/lib/systemd/system

           install -m 0755 hello.service ${D}/lib/systemd/system/

           setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself ?

capabilities on files are just extended attributes, so assuming that you have a fairly recent Yocto and your host and target filesystems support extended attributes, yes this should work.

Ross



[-- Attachment #1.2: Type: text/html, Size: 16609 bytes --]

[-- Attachment #2: HelloWorld_0.1.bb --]
[-- Type: application/octet-stream, Size: 874 bytes --]

#
# This file was derived from the 'Hello World!' example recipe in the
# Yocto Project Development Manual.
#

SUMMARY = "Simple helloworld application"
SECTION = "examples"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
inherit systemd 


SRC_URI = "file://helloworld.c \
	file://hello.service "

S = "${WORKDIR}"

do_compile() {
	     ${CC} helloworld.c -o helloworld
}

do_install() {
	     install -d ${D}${bindir}
	     install -m 0755 helloworld ${D}${bindir}
	     install -d ${D}/lib/systemd/system
	     install -m 0755 hello.service ${D}/lib/systemd/system/
            # setcap cap_net_raw+ep  ${D}${bindir}/helloworld
            
	    	
}

pkg_postinst_${PN} () {
 
 setcap cap_net_raw+ep  $D${bindir}/helloworld

}


SYSTEMD_SERVICE_${PN} = "hello.service"

SYSTEMD_AUTO_ENABLE_${PN} = "enable"  

Re: setcap using recipe

[Daniel.]

Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr

2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <Shrawan.Kumar@harman.com>:
> Hello Ross,
>
>
>
> None of the approach is working .  I have attached the  recipe where I am
> trying to execute postinst . It builds successfully , But when I run getcap
> on the target , does not return the set capabilities.
>
>
>
> Help will be highly appreciated .
>
>
>
> Regards
>
> Shrawan
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 6:40 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Looks like using setcap directly is broken currently, there are two
> workarounds:
>
>
>
> 1) use a postinst to invoke setcap on the target instead
>
> 2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
> function that always succeeds) and verify that it fixes the problem for you.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> I am using Yocto 2.0.2
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 5:56 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> What version of OE/Yocto are you using?  Old versions of pseudo didn't
> support xattrs at all.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command
> line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
>                     install -d ${D}${bindir}
>
>                     install -m 0755 helloworld ${D}${bindir}
>
>                     install -d ${D}/lib/systemd/system
>
>                     install -m 0755 hello.service ${D}/lib/systemd/system/
>
>              setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 5:09 PM
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>            install -d ${D}${bindir}
>
>            install -m 0755 helloworld ${D}${bindir}
>
>            install -d ${D}/lib/systemd/system
>
>            install -m 0755 hello.service ${D}/lib/systemd/system/
>
>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
>
>
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>



-- 
"Do or do not. There is no try"
  Yoda Master

Re: setcap using recipe

[Mathieu Allard]

Hello,

I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.

The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.


Regards,

Mathieu


----- Original Message -----
From: "Daniel." <danielhilst@gmail.com>
To: "Kumar, Shrawan" <Shrawan.Kumar@harman.com>
Cc: yocto@yoctoproject.org
Sent: Friday, July 1, 2016 3:54:15 PM
Subject: Re: [yocto] setcap using recipe

Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr

2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <Shrawan.Kumar@harman.com>:
> Hello Ross,
>
>
>
> None of the approach is working .  I have attached the  recipe where I am
> trying to execute postinst . It builds successfully , But when I run getcap
> on the target , does not return the set capabilities.
>
>
>
> Help will be highly appreciated .
>
>
>
> Regards
>
> Shrawan
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 6:40 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Looks like using setcap directly is broken currently, there are two
> workarounds:
>
>
>
> 1) use a postinst to invoke setcap on the target instead
>
> 2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
> function that always succeeds) and verify that it fixes the problem for you.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> I am using Yocto 2.0.2
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 5:56 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> What version of OE/Yocto are you using?  Old versions of pseudo didn't
> support xattrs at all.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command
> line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
>                     install -d ${D}${bindir}
>
>                     install -m 0755 helloworld ${D}${bindir}
>
>                     install -d ${D}/lib/systemd/system
>
>                     install -m 0755 hello.service ${D}/lib/systemd/system/
>
>              setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.burton@intel.com]
> Sent: Friday, June 24, 2016 5:09 PM
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>            install -d ${D}${bindir}
>
>            install -m 0755 helloworld ${D}${bindir}
>
>            install -d ${D}/lib/systemd/system
>
>            install -m 0755 hello.service ${D}/lib/systemd/system/
>
>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
>
>
>
>
>
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>



-- 
"Do or do not. There is no try"
  Yoda Master
-- 
_______________________________________________
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: setcap using recipe

[Daniel.]

Hmmm I see,

Well, I didn't note that. And yeah, that command should be ran at
first boot, (that feature saved my life a bunch of times :) )

Regards,

2016-07-01 11:03 GMT-03:00 Mathieu Allard <mathieu.allard@evalan.com>:
> Hello,
>
> I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.
>
> The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.
>
>
> Regards,
>
> Mathieu
>
>
> ----- Original Message -----
> From: "Daniel." <danielhilst@gmail.com>
> To: "Kumar, Shrawan" <Shrawan.Kumar@harman.com>
> Cc: yocto@yoctoproject.org
> Sent: Friday, July 1, 2016 3:54:15 PM
> Subject: Re: [yocto] setcap using recipe
>
> Does your target filesystem support it? ubifs doesn't :(
> http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
>
> 2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <Shrawan.Kumar@harman.com>:
>> Hello Ross,
>>
>>
>>
>> None of the approach is working .  I have attached the  recipe where I am
>> trying to execute postinst . It builds successfully , But when I run getcap
>> on the target , does not return the set capabilities.
>>
>>
>>
>> Help will be highly appreciated .
>>
>>
>>
>> Regards
>>
>> Shrawan
>>
>> From: Burton, Ross [mailto:ross.burton@intel.com]
>> Sent: Friday, June 24, 2016 6:40 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Looks like using setcap directly is broken currently, there are two
>> workarounds:
>>
>>
>>
>> 1) use a postinst to invoke setcap on the target instead
>>
>> 2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
>> function that always succeeds) and verify that it fixes the problem for you.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>>
>> I am using Yocto 2.0.2
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.burton@intel.com]
>> Sent: Friday, June 24, 2016 5:56 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> What version of OE/Yocto are you using?  Old versions of pseudo didn't
>> support xattrs at all.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>>
>> Thanks Ross for your quick turn around , I am getting below error
>>
>>
>>
>> “Unable le to set CAP_SETFCAP effective capability: Operation not
>> permitted.”
>>
>>
>>
>> But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command
>> line I am able to set the cap.
>>
>>
>>
>> To achieve the sudo realization  in recipe , I tried  as below , but no
>> luck…… Can you suggest something here  ?
>>
>>
>>
>> fakeroot do_install() {
>>
>>                     install -d ${D}${bindir}
>>
>>                     install -m 0755 helloworld ${D}${bindir}
>>
>>                     install -d ${D}/lib/systemd/system
>>
>>                     install -m 0755 hello.service ${D}/lib/systemd/system/
>>
>>              setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>>
>>
>> }
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.burton@intel.com]
>> Sent: Friday, June 24, 2016 5:09 PM
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Hi,
>>
>>
>>
>> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>>
>> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
>> recipe?
>>
>>
>>
>> Example :
>>
>> do_install() {
>>
>>            install -d ${D}${bindir}
>>
>>            install -m 0755 helloworld ${D}${bindir}
>>
>>            install -d ${D}/lib/systemd/system
>>
>>            install -m 0755 hello.service ${D}/lib/systemd/system/
>>
>>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>> }
>>
>>
>>
>> If yes is this correct approach to achieve the same from  package recipe
>> itself ?
>>
>>
>> capabilities on files are just extended attributes, so assuming that you
>> have a fairly recent Yocto and your host and target filesystems support
>> extended attributes, yes this should work.
>>
>>
>>
>> Ross
>>
>>
>>
>>
>>
>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
>>
>
>
>
> --
> "Do or do not. There is no try"
>   Yoda Master
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto



-- 
"Do or do not. There is no try"
  Yoda Master

Re: setcap using recipe

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 375 bytes --]

On 1 July 2016 at 15:03, Mathieu Allard <mathieu.allard@evalan.com> wrote:

> I think that the main issue here is that the pkg_postinst function runs
> its action at the rootfs creation time, and not on the target as advised by
> Ross.
>

Yes, as I said in the first suggestion you'll need to ensure this runs on
the target (check $D and exit 1 if its set).

Ross

[-- Attachment #2: Type: text/html, Size: 784 bytes --]

Re: setcap using recipe

[Kumar, Shrawan]

[-- Attachment #1: Type: text/plain, Size: 5651 bytes --]

Dear All,

The aim of my exercise is to apply "setcap " on an executable during rootfs creation. 
I should be able to view the set capability using getcap utility when this rootfs is mounted on the target. 
As I said earlier none of the suggested approach is working here.Currently I am qemux86 is my target. 
 
Can someone review the attached recipe and help solve the problem statement  ?



Regards
Shrawan

-----Original Message-----
From: Daniel. [mailto:danielhilst@gmail.com] 
Sent: Friday, July 01, 2016 7:54 PM
To: Mathieu Allard
Cc: Kumar, Shrawan; yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hmmm I see,

Well, I didn't note that. And yeah, that command should be ran at first boot, (that feature saved my life a bunch of times :) )

Regards,

2016-07-01 11:03 GMT-03:00 Mathieu Allard <mathieu.allard@evalan.com>:
> Hello,
>
> I think that the main issue here is that the pkg_postinst function runs its action at the rootfs creation time, and not on the target as advised by Ross.
>
> The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some detailed explanations on how to make it run after the first boot.
>
>
> Regards,
>
> Mathieu
>
>
> ----- Original Message -----
> From: "Daniel." <danielhilst@gmail.com>
> To: "Kumar, Shrawan" <Shrawan.Kumar@harman.com>
> Cc: yocto@yoctoproject.org
> Sent: Friday, July 1, 2016 3:54:15 PM
> Subject: Re: [yocto] setcap using recipe
>
> Does your target filesystem support it? ubifs doesn't :( 
> http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
>
> 2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <Shrawan.Kumar@harman.com>:
>> Hello Ross,
>>
>>
>>
>> None of the approach is working .  I have attached the  recipe where 
>> I am trying to execute postinst . It builds successfully , But when I 
>> run getcap on the target , does not return the set capabilities.
>>
>>
>>
>> Help will be highly appreciated .
>>
>>
>>
>> Regards
>>
>> Shrawan
>>
>> From: Burton, Ross [mailto:ross.burton@intel.com]
>> Sent: Friday, June 24, 2016 6:40 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Looks like using setcap directly is broken currently, there are two
>> workarounds:
>>
>>
>>
>> 1) use a postinst to invoke setcap on the target instead
>>
>> 2) test the patch for pseudo that is on this list ([PATCH] Add capset 
>> pseudo function that always succeeds) and verify that it fixes the problem for you.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:31, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>>
>> I am using Yocto 2.0.2
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.burton@intel.com]
>> Sent: Friday, June 24, 2016 5:56 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> What version of OE/Yocto are you using?  Old versions of pseudo 
>> didn't support xattrs at all.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:23, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>>
>> Thanks Ross for your quick turn around , I am getting below error
>>
>>
>>
>> “Unable le to set CAP_SETFCAP effective capability: Operation not 
>> permitted.”
>>
>>
>>
>> But when I use    # sudo setcap cap_net_raw+ep  helloworld        on command
>> line I am able to set the cap.
>>
>>
>>
>> To achieve the sudo realization  in recipe , I tried  as below , but 
>> no luck…… Can you suggest something here  ?
>>
>>
>>
>> fakeroot do_install() {
>>
>>                     install -d ${D}${bindir}
>>
>>                     install -m 0755 helloworld ${D}${bindir}
>>
>>                     install -d ${D}/lib/systemd/system
>>
>>                     install -m 0755 hello.service 
>> ${D}/lib/systemd/system/
>>
>>              setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>>
>>
>> }
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.burton@intel.com]
>> Sent: Friday, June 24, 2016 5:09 PM
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Hi,
>>
>>
>>
>> On 24 June 2016 at 11:41, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:
>>
>> Is there a way to  add a capability to a binary (cap_net_raw+ep),into 
>> a recipe?
>>
>>
>>
>> Example :
>>
>> do_install() {
>>
>>            install -d ${D}${bindir}
>>
>>            install -m 0755 helloworld ${D}${bindir}
>>
>>            install -d ${D}/lib/systemd/system
>>
>>            install -m 0755 hello.service ${D}/lib/systemd/system/
>>
>>            setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>> }
>>
>>
>>
>> If yes is this correct approach to achieve the same from  package 
>> recipe itself ?
>>
>>
>> capabilities on files are just extended attributes, so assuming that 
>> you have a fairly recent Yocto and your host and target filesystems 
>> support extended attributes, yes this should work.
>>
>>
>>
>> Ross
>>
>>
>>
>>
>>
>>
>> --
>> _______________________________________________
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
>>
>
>
>
> --
> "Do or do not. There is no try"
>   Yoda Master
> --
> _______________________________________________
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto



--
"Do or do not. There is no try"
  Yoda Master

[-- Attachment #2: HelloWorld_0.1.bb --]
[-- Type: application/octet-stream, Size: 874 bytes --]

#
# This file was derived from the 'Hello World!' example recipe in the
# Yocto Project Development Manual.
#

SUMMARY = "Simple helloworld application"
SECTION = "examples"
LICENSE = "MIT"
LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
inherit systemd 


SRC_URI = "file://helloworld.c \
	file://hello.service "

S = "${WORKDIR}"

do_compile() {
	     ${CC} helloworld.c -o helloworld
}

do_install() {
	     install -d ${D}${bindir}
	     install -m 0755 helloworld ${D}${bindir}
	     install -d ${D}/lib/systemd/system
	     install -m 0755 hello.service ${D}/lib/systemd/system/
            # setcap cap_net_raw+ep  ${D}${bindir}/helloworld
            
	    	
}

pkg_postinst_${PN} () {
 
 setcap cap_net_raw+ep  $D${bindir}/helloworld

}


SYSTEMD_SERVICE_${PN} = "hello.service"

SYSTEMD_AUTO_ENABLE_${PN} = "enable"  

Re: setcap using recipe

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 394 bytes --]

On 2 July 2016 at 10:22, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:

> Can someone review the attached recipe and help solve the problem
> statement  ?
>

As has been said, you need to ensure the postinst is delayed so it runs on
the target and not on the build host.

http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-recipe-post-installation-scripts

Ross

[-- Attachment #2: Type: text/html, Size: 1052 bytes --]

Re: setcap using recipe

[Kumar, Shrawan]

[-- Attachment #1: Type: text/plain, Size: 1087 bytes --]

Hello Ross,

Post-installation scripts run immediately after installing a package on the target or during image creation when a package is included in an image.
Does  it not mean that we can set the file attributes(setcap) during  image creation ?

I understand the delayed approach of executing it on the target, but my requirement is to do it on the build host. We do not want “setcap”  utility to be present on the target.


Regards
Shrawan

From: Burton, Ross [mailto:ross.burton@intel.com]
Sent: Saturday, July 02, 2016 2:56 PM
To: Kumar, Shrawan
Cc: Daniel.; Mathieu Allard; yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe


On 2 July 2016 at 10:22, Kumar, Shrawan <Shrawan.Kumar@harman.com<mailto:Shrawan.Kumar@harman.com>> wrote:
Can someone review the attached recipe and help solve the problem statement  ?

As has been said, you need to ensure the postinst is delayed so it runs on the target and not on the build host.

http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-recipe-post-installation-scripts

Ross


[-- Attachment #2: Type: text/html, Size: 4456 bytes --]

Re: setcap using recipe

[Burton, Ross]

[-- Attachment #1: Type: text/plain, Size: 1245 bytes --]

On 2 July 2016 at 11:37, Kumar, Shrawan <Shrawan.Kumar@harman.com> wrote:

> Post-installation scripts run immediately after installing a package on
> the target *or during image creation when a package is included in an
> image*.
>
> Does  it not mean that we can set the file attributes(setcap) during
>  image creation ?
>
>
>
> I understand the delayed approach of executing it on the target, but my
> requirement is to do it on the build host. We do not want “setcap”  utility
> to be present on the target.
>
>
Then I suggest that you test the setcap patch that I pointed to earlier,
you'll likely need the pseudo 1.8 upgrade that Joshua sent last night.
This should ensure that setcap works in the pseudo environment.   Then
follow the instructions in image_types.bbclass to ensure that xattrs are
preserved when the image is created, and check your kernel configuration to
confirm that xattrs are supported.  I recommend attempting to use fsetattr
on the target directly to verify this. If all the pieces are in place then
they should work.

There's a number of bugs in bugzilla for tracking these issues (#9859 is
the metabug tracking them).  Your help in solving this would be much
appreciated!

Ross

[-- Attachment #2: Type: text/html, Size: 1834 bytes --]