Re: [yocto] setcap using recipe

[Burton, Ross]

On 2 July 2016 at 11:37, Kumar, Shrawan  wrote:

> Post-installation scripts run immediately after installing a package on
> the target *or during image creation when a package is included in an
> image*.
>
> Does  it not mean that we can set the file attributes(setcap) during
>  image creation ?
>
>
>
> I understand the delayed approach of executing it on the target, but my
> requirement is to do it on the build host. We do not want “setcap”  utility
> to be present on the target.
>
>
Then I suggest that you test the setcap patch that I pointed to earlier,
you'll likely need the pseudo 1.8 upgrade that Joshua sent last night.
This should ensure that setcap works in the pseudo environment.   Then
follow the instructions in image_types.bbclass to ensure that xattrs are
preserved when the image is created, and check your kernel configuration to
confirm that xattrs are supported.  I recommend attempting to use fsetattr
on the target directly to verify this. If all the pieces are in place then
they should work.

There's a number of bugs in bugzilla for tracking these issues (#9859 is
the metabug tracking them).  Your help in solving this would be much
appreciated!

Ross
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Kumar, Shrawan]

Hello Ross,

Post-installation scripts run immediately after installing a package on the 
target or during image creation when a package is included in an image.
Does  it not mean that we can set the file attributes(setcap) during  image 
creation ?

I understand the delayed approach of executing it on the target, but my 
requirement is to do it on the build host. We do not want “setcap”  utility to 
be present on the target.


Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Saturday, July 02, 2016 2:56 PM
To: Kumar, Shrawan
Cc: Daniel.; Mathieu Allard; yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe


On 2 July 2016 at 10:22, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Can someone review the attached recipe and help solve the problem statement  ?

As has been said, you need to ensure the postinst is delayed so it runs on the 
target and not on the build host.

http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-recipe-post-installation-scripts

Ross

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Burton, Ross]

On 2 July 2016 at 10:22, Kumar, Shrawan  wrote:

> Can someone review the attached recipe and help solve the problem
> statement  ?
>

As has been said, you need to ensure the postinst is delayed so it runs on
the target and not on the build host.

http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-recipe-post-installation-scripts

Ross
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Kumar, Shrawan]

Dear All,

The aim of my exercise is to apply "setcap " on an executable during rootfs 
creation. 
I should be able to view the set capability using getcap utility when this 
rootfs is mounted on the target. 
As I said earlier none of the suggested approach is working here.Currently I am 
qemux86 is my target. 
 
Can someone review the attached recipe and help solve the problem statement  ?



Regards
Shrawan

-Original Message-
From: Daniel. [mailto:danielhi...@gmail.com] 
Sent: Friday, July 01, 2016 7:54 PM
To: Mathieu Allard
Cc: Kumar, Shrawan; yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hmmm I see,

Well, I didn't note that. And yeah, that command should be ran at first boot, 
(that feature saved my life a bunch of times :) )

Regards,

2016-07-01 11:03 GMT-03:00 Mathieu Allard <mathieu.all...@evalan.com>:
> Hello,
>
> I think that the main issue here is that the pkg_postinst function runs its 
> action at the rootfs creation time, and not on the target as advised by Ross.
>
> The chapter 5.3.16, "post-installation scripts" in the mega-manual offers 
> some detailed explanations on how to make it run after the first boot.
>
>
> Regards,
>
> Mathieu
>
>
> - Original Message -
> From: "Daniel." <danielhi...@gmail.com>
> To: "Kumar, Shrawan" <shrawan.ku...@harman.com>
> Cc: yocto@yoctoproject.org
> Sent: Friday, July 1, 2016 3:54:15 PM
> Subject: Re: [yocto] setcap using recipe
>
> Does your target filesystem support it? ubifs doesn't :( 
> http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
>
> 2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <shrawan.ku...@harman.com>:
>> Hello Ross,
>>
>>
>>
>> None of the approach is working .  I have attached the  recipe where 
>> I am trying to execute postinst . It builds successfully , But when I 
>> run getcap on the target , does not return the set capabilities.
>>
>>
>>
>> Help will be highly appreciated .
>>
>>
>>
>> Regards
>>
>> Shrawan
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 6:40 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Looks like using setcap directly is broken currently, there are two
>> workarounds:
>>
>>
>>
>> 1) use a postinst to invoke setcap on the target instead
>>
>> 2) test the patch for pseudo that is on this list ([PATCH] Add capset 
>> pseudo function that always succeeds) and verify that it fixes the problem 
>> for you.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:31, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>>
>> I am using Yocto 2.0.2
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 5:56 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> What version of OE/Yocto are you using?  Old versions of pseudo 
>> didn't support xattrs at all.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:23, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>>
>> Thanks Ross for your quick turn around , I am getting below error
>>
>>
>>
>> “Unable le to set CAP_SETFCAP effective capability: Operation not 
>> permitted.”
>>
>>
>>
>> But when I use# sudo setcap cap_net_raw+ep  helloworldon command
>> line I am able to set the cap.
>>
>>
>>
>> To achieve the sudo realization  in recipe , I tried  as below , but 
>> no luck…… Can you suggest something here  ?
>>
>>
>>
>> fakeroot do_install() {
>>
>> install -d ${D}${bindir}
>>
>> install -m 0755 helloworld ${D}${bindir}
>>
>> install -d ${D}/lib/systemd/system
>>
>> install -m 0755 hello.service 
>> ${D}/lib/systemd/system/
>>
>>  setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>>
>>
>> }
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 5:09 PM
>> To: Kumar, Shrawan
>> Cc: yocto@yoctop

Re: [yocto] setcap using recipe

[Burton, Ross]

On 1 July 2016 at 15:03, Mathieu Allard  wrote:

> I think that the main issue here is that the pkg_postinst function runs
> its action at the rootfs creation time, and not on the target as advised by
> Ross.
>

Yes, as I said in the first suggestion you'll need to ensure this runs on
the target (check $D and exit 1 if its set).

Ross
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Daniel.]

Hmmm I see,

Well, I didn't note that. And yeah, that command should be ran at
first boot, (that feature saved my life a bunch of times :) )

Regards,

2016-07-01 11:03 GMT-03:00 Mathieu Allard <mathieu.all...@evalan.com>:
> Hello,
>
> I think that the main issue here is that the pkg_postinst function runs its 
> action at the rootfs creation time, and not on the target as advised by Ross.
>
> The chapter 5.3.16, "post-installation scripts" in the mega-manual offers 
> some detailed explanations on how to make it run after the first boot.
>
>
> Regards,
>
> Mathieu
>
>
> - Original Message -
> From: "Daniel." <danielhi...@gmail.com>
> To: "Kumar, Shrawan" <shrawan.ku...@harman.com>
> Cc: yocto@yoctoproject.org
> Sent: Friday, July 1, 2016 3:54:15 PM
> Subject: Re: [yocto] setcap using recipe
>
> Does your target filesystem support it? ubifs doesn't :(
> http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
>
> 2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <shrawan.ku...@harman.com>:
>> Hello Ross,
>>
>>
>>
>> None of the approach is working .  I have attached the  recipe where I am
>> trying to execute postinst . It builds successfully , But when I run getcap
>> on the target , does not return the set capabilities.
>>
>>
>>
>> Help will be highly appreciated .
>>
>>
>>
>> Regards
>>
>> Shrawan
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 6:40 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Looks like using setcap directly is broken currently, there are two
>> workarounds:
>>
>>
>>
>> 1) use a postinst to invoke setcap on the target instead
>>
>> 2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
>> function that always succeeds) and verify that it fixes the problem for you.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:31, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>>
>> I am using Yocto 2.0.2
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 5:56 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> What version of OE/Yocto are you using?  Old versions of pseudo didn't
>> support xattrs at all.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:23, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>>
>> Thanks Ross for your quick turn around , I am getting below error
>>
>>
>>
>> “Unable le to set CAP_SETFCAP effective capability: Operation not
>> permitted.”
>>
>>
>>
>> But when I use# sudo setcap cap_net_raw+ep  helloworldon command
>> line I am able to set the cap.
>>
>>
>>
>> To achieve the sudo realization  in recipe , I tried  as below , but no
>> luck…… Can you suggest something here  ?
>>
>>
>>
>> fakeroot do_install() {
>>
>> install -d ${D}${bindir}
>>
>> install -m 0755 helloworld ${D}${bindir}
>>
>> install -d ${D}/lib/systemd/system
>>
>> install -m 0755 hello.service ${D}/lib/systemd/system/
>>
>>  setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>>
>>
>> }
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 5:09 PM
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Hi,
>>
>>
>>
>> On 24 June 2016 at 11:41, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>>
>> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
>> recipe?
>>
>>
>>
>> Example :
>>
>> do_install() {
>>
>>install -d ${D}${bindir}
>>
>>install -m 0755 helloworld ${D}${bindir}
>>
>>install -d ${D}/lib/systemd/system
>>
>>install -m 0755 hello.service ${D}/lib/systemd/system/
>>
>>setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>>
>> }
>>
>>
>>
>> If yes is this correct approach to achieve the same from  package recipe
>> itself ?
>>
>>
>> capabilities on files are just extended attributes, so assuming that you
>> have a fairly recent Yocto and your host and target filesystems support
>> extended attributes, yes this should work.
>>
>>
>>
>> Ross
>>
>>
>>
>>
>>
>>
>> --
>> ___
>> yocto mailing list
>> yocto@yoctoproject.org
>> https://lists.yoctoproject.org/listinfo/yocto
>>
>
>
>
> --
> "Do or do not. There is no try"
>   Yoda Master
> --
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto



-- 
"Do or do not. There is no try"
  Yoda Master
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Mathieu Allard]

Hello,

I think that the main issue here is that the pkg_postinst function runs its 
action at the rootfs creation time, and not on the target as advised by Ross.

The chapter 5.3.16, "post-installation scripts" in the mega-manual offers some 
detailed explanations on how to make it run after the first boot.


Regards,

Mathieu


- Original Message -
From: "Daniel." <danielhi...@gmail.com>
To: "Kumar, Shrawan" <shrawan.ku...@harman.com>
Cc: yocto@yoctoproject.org
Sent: Friday, July 1, 2016 3:54:15 PM
Subject: Re: [yocto] setcap using recipe

Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr

2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <shrawan.ku...@harman.com>:
> Hello Ross,
>
>
>
> None of the approach is working .  I have attached the  recipe where I am
> trying to execute postinst . It builds successfully , But when I run getcap
> on the target , does not return the set capabilities.
>
>
>
> Help will be highly appreciated .
>
>
>
> Regards
>
> Shrawan
>
> From: Burton, Ross [mailto:ross.bur...@intel.com]
> Sent: Friday, June 24, 2016 6:40 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Looks like using setcap directly is broken currently, there are two
> workarounds:
>
>
>
> 1) use a postinst to invoke setcap on the target instead
>
> 2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
> function that always succeeds) and verify that it fixes the problem for you.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:31, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> I am using Yocto 2.0.2
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.bur...@intel.com]
> Sent: Friday, June 24, 2016 5:56 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> What version of OE/Yocto are you using?  Old versions of pseudo didn't
> support xattrs at all.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:23, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use# sudo setcap cap_net_raw+ep  helloworldon command
> line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
> install -d ${D}${bindir}
>
> install -m 0755 helloworld ${D}${bindir}
>
> install -d ${D}/lib/systemd/system
>
>     install -m 0755 hello.service ${D}/lib/systemd/system/
>
>  setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.bur...@intel.com]
> Sent: Friday, June 24, 2016 5:09 PM
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>install -d ${D}${bindir}
>
>install -m 0755 helloworld ${D}${bindir}
>
>install -d ${D}/lib/systemd/system
>
>install -m 0755 hello.service ${D}/lib/systemd/system/
>
>setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
>
>
>
>
>
> --
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>



-- 
"Do or do not. There is no try"
  Yoda Master
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Daniel.]

Does your target filesystem support it? ubifs doesn't :(
http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr

2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <shrawan.ku...@harman.com>:
> Hello Ross,
>
>
>
> None of the approach is working .  I have attached the  recipe where I am
> trying to execute postinst . It builds successfully , But when I run getcap
> on the target , does not return the set capabilities.
>
>
>
> Help will be highly appreciated .
>
>
>
> Regards
>
> Shrawan
>
> From: Burton, Ross [mailto:ross.bur...@intel.com]
> Sent: Friday, June 24, 2016 6:40 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Looks like using setcap directly is broken currently, there are two
> workarounds:
>
>
>
> 1) use a postinst to invoke setcap on the target instead
>
> 2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
> function that always succeeds) and verify that it fixes the problem for you.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:31, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> I am using Yocto 2.0.2
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.bur...@intel.com]
> Sent: Friday, June 24, 2016 5:56 PM
>
>
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> What version of OE/Yocto are you using?  Old versions of pseudo didn't
> support xattrs at all.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:23, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use# sudo setcap cap_net_raw+ep  helloworldon command
> line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
> install -d ${D}${bindir}
>
> install -m 0755 helloworld ${D}${bindir}
>
> install -d ${D}/lib/systemd/system
>
>     install -m 0755 hello.service ${D}/lib/systemd/system/
>
>  setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> From: Burton, Ross [mailto:ross.bur...@intel.com]
> Sent: Friday, June 24, 2016 5:09 PM
> To: Kumar, Shrawan
> Cc: yocto@yoctoproject.org
> Subject: Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>install -d ${D}${bindir}
>
>install -m 0755 helloworld ${D}${bindir}
>
>install -d ${D}/lib/systemd/system
>
>install -m 0755 hello.service ${D}/lib/systemd/system/
>
>setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
>
>
>
>
>
> --
> ___
> yocto mailing list
> yocto@yoctoproject.org
> https://lists.yoctoproject.org/listinfo/yocto
>



-- 
"Do or do not. There is no try"
  Yoda Master
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Kumar, Shrawan]

Hello Ross,

None of the approach is working .  I have attached the  recipe where I am 
trying to execute postinst . It builds successfully , But when I run getcap on 
the target , does not return the set capabilities.

Help will be highly appreciated .

Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo 
function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using?  Old versions of pseudo didn't support 
xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use# sudo setcap cap_net_raw+ep  helloworldon command 
line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… 
Can you suggest something here  ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
 setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

   install -d ${D}${bindir}

   install -m 0755 helloworld ${D}${bindir}

   install -d ${D}/lib/systemd/system

   install -m 0755 hello.service ${D}/lib/systemd/system/

   setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself 
?

capabilities on files are just extended attributes, so assuming that you have a 
fairly recent Yocto and your host and target filesystems support extended 
attributes, yes this should work.

Ross




HelloWorld_0.1.bb
Description: HelloWorld_0.1.bb
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Burton, Ross]

On 29 June 2016 at 05:10, Kumar, Shrawan  wrote:

> Could  your update on my issues ?
>
>
The patch is probably against a newer version.  If you're unable to switch
to the latest version of pseudo to debug this then you can run setcap in a
postinst.

Ross
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Kumar, Shrawan]

Hello Ross,

Could  your update on my issues ?

Regards
Shrawan

From: yocto-boun...@yoctoproject.org [mailto:yocto-boun...@yoctoproject.org] On 
Behalf Of Kumar, Shrawan
Sent: Monday, June 27, 2016 12:04 PM
To: Burton, Ross
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hello Ross,

Against which version  this patch is applicable . I am using pseudo-1.7.4  and  
could not find capset.c  file  under  “ports/linux/guts/   directory .

Can you please help here  ?

Thanks and Regards
Shrawan


From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo 
function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using?  Old versions of pseudo didn't support 
xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use# sudo setcap cap_net_raw+ep  helloworldon command 
line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… 
Can you suggest something here  ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
 setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

   install -d ${D}${bindir}

   install -m 0755 helloworld ${D}${bindir}

   install -d ${D}/lib/systemd/system

   install -m 0755 hello.service ${D}/lib/systemd/system/

   setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself 
?

capabilities on files are just extended attributes, so assuming that you have a 
fairly recent Yocto and your host and target filesystems support extended 
attributes, yes this should work.

Ross


-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Kumar, Shrawan]

Hello Ross,

Against which version  this patch is applicable . I am using pseudo-1.7.4  and  
could not find capset.c  file  under  “ports/linux/guts/   directory .

Can you please help here  ?

Thanks and Regards
Shrawan


From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Looks like using setcap directly is broken currently, there are two workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo 
function that always succeeds) and verify that it fixes the problem for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM

To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using?  Old versions of pseudo didn't support 
xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use# sudo setcap cap_net_raw+ep  helloworldon command 
line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… 
Can you suggest something here  ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
 setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

   install -d ${D}${bindir}

   install -m 0755 helloworld ${D}${bindir}

   install -d ${D}/lib/systemd/system

   install -m 0755 hello.service ${D}/lib/systemd/system/

   setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself 
?

capabilities on files are just extended attributes, so assuming that you have a 
fairly recent Yocto and your host and target filesystems support extended 
attributes, yes this should work.

Ross


-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Burton, Ross]

Looks like using setcap directly is broken currently, there are two
workarounds:

1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset
pseudo function that always succeeds) and verify that it fixes the problem
for you.

Ross

On 24 June 2016 at 13:31, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:

> I am using Yocto 2.0.2
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> *From:* Burton, Ross [mailto:ross.bur...@intel.com]
> *Sent:* Friday, June 24, 2016 5:56 PM
>
> *To:* Kumar, Shrawan
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] setcap using recipe
>
>
>
> What version of OE/Yocto are you using?  Old versions of pseudo didn't
> support xattrs at all.
>
>
>
> Ross
>
>
>
> On 24 June 2016 at 13:23, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use# *sudo* setcap cap_net_raw+ep  helloworldon
> command line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
> install -d ${D}${bindir}
>
> install -m 0755 helloworld ${D}${bindir}
>
> install -d ${D}/lib/systemd/system
>
> install -m 0755 hello.service ${D}/lib/systemd/system/
>
>  setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> *From:* Burton, Ross [mailto:ross.bur...@intel.com]
> *Sent:* Friday, June 24, 2016 5:09 PM
> *To:* Kumar, Shrawan
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>install -d ${D}${bindir}
>
>install -m 0755 helloworld ${D}${bindir}
>
>install -d ${D}/lib/systemd/system
>
>install -m 0755 hello.service ${D}/lib/systemd/system/
>
>setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
>
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Kumar, Shrawan]

I am using Yocto 2.0.2

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

What version of OE/Yocto are you using?  Old versions of pseudo didn't support 
xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use# sudo setcap cap_net_raw+ep  helloworldon command 
line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… 
Can you suggest something here  ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
 setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

   install -d ${D}${bindir}

   install -m 0755 helloworld ${D}${bindir}

   install -d ${D}/lib/systemd/system

   install -m 0755 hello.service ${D}/lib/systemd/system/

   setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself 
?

capabilities on files are just extended attributes, so assuming that you have a 
fairly recent Yocto and your host and target filesystems support extended 
attributes, yes this should work.

Ross



HelloWorld_0.1.bb
Description: HelloWorld_0.1.bb
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Burton, Ross]

What version of OE/Yocto are you using?  Old versions of pseudo didn't
support xattrs at all.

Ross

On 24 June 2016 at 13:23, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:

> Thanks Ross for your quick turn around , I am getting below error
>
>
>
> “Unable le to set CAP_SETFCAP effective capability: Operation not
> permitted.”
>
>
>
> But when I use# *sudo* setcap cap_net_raw+ep  helloworldon
> command line I am able to set the cap.
>
>
>
> To achieve the sudo realization  in recipe , I tried  as below , but no
> luck…… Can you suggest something here  ?
>
>
>
> fakeroot do_install() {
>
> install -d ${D}${bindir}
>
> install -m 0755 helloworld ${D}${bindir}
>
> install -d ${D}/lib/systemd/system
>
> install -m 0755 hello.service ${D}/lib/systemd/system/
>
>  setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
>
>
> }
>
>
>
> Thanks and Regards
>
> Shrawan
>
>
>
> *From:* Burton, Ross [mailto:ross.bur...@intel.com]
> *Sent:* Friday, June 24, 2016 5:09 PM
> *To:* Kumar, Shrawan
> *Cc:* yocto@yoctoproject.org
> *Subject:* Re: [yocto] setcap using recipe
>
>
>
> Hi,
>
>
>
> On 24 June 2016 at 11:41, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>
> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>install -d ${D}${bindir}
>
>install -m 0755 helloworld ${D}${bindir}
>
>install -d ${D}/lib/systemd/system
>
>install -m 0755 hello.service ${D}/lib/systemd/system/
>
>setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>
>
> capabilities on files are just extended attributes, so assuming that you
> have a fairly recent Yocto and your host and target filesystems support
> extended attributes, yes this should work.
>
>
>
> Ross
>
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Kumar, Shrawan]

Thanks Ross for your quick turn around , I am getting below error

“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”

But when I use# sudo setcap cap_net_raw+ep  helloworldon command 
line I am able to set the cap.

To achieve the sudo realization  in recipe , I tried  as below , but no luck…… 
Can you suggest something here  ?

fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
 setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}

Thanks and Regards
Shrawan

From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan 
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:

Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

   install -d ${D}${bindir}

   install -m 0755 helloworld ${D}${bindir}

   install -d ${D}/lib/systemd/system

   install -m 0755 hello.service ${D}/lib/systemd/system/

   setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself 
?

capabilities on files are just extended attributes, so assuming that you have a 
fairly recent Yocto and your host and target filesystems support extended 
attributes, yes this should work.

Ross
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

Re: [yocto] setcap using recipe

[Burton, Ross]

Hi,

On 24 June 2016 at 11:41, Kumar, Shrawan  wrote:

> Is there a way to  add a capability to a binary (cap_net_raw+ep),into a
> recipe?
>
>
>
> Example :
>
> do_install() {
>
>install -d ${D}${bindir}
>
>install -m 0755 helloworld ${D}${bindir}
>
>install -d ${D}/lib/systemd/system
>
>install -m 0755 hello.service ${D}/lib/systemd/system/
>
>setcap cap_net_raw+ep  ${D}${bindir}/helloworld
>
> }
>
>
>
> If yes is this correct approach to achieve the same from  package recipe
> itself ?
>

capabilities on files are just extended attributes, so assuming that you
have a fairly recent Yocto and your host and target filesystems support
extended attributes, yes this should work.

Ross
-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto

[yocto] setcap using recipe

[Kumar, Shrawan]

Hello All,



Is there a way to  add a capability to a binary (cap_net_raw+ep),into a recipe?


Example :

do_install() {

   install -d ${D}${bindir}

   install -m 0755 helloworld ${D}${bindir}

   install -d ${D}/lib/systemd/system

   install -m 0755 hello.service ${D}/lib/systemd/system/

   setcap cap_net_raw+ep  ${D}${bindir}/helloworld

}



If yes is this correct approach to achieve the same from  package recipe itself 
?





Thanks and Regards

Shrawan

-- 
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto