Re: [yocto] POSIX capability broken pseudo
Any update on this ?
Regards
Shrawan
From: Kumar, Shrawan
Sent: 09 July 2018 17:17
To: 'yocto@yoctoproject.org'
Cc: 'connect.shra...@gmail.com' ; 'Khem Raj'
Subject: POSIX capability broken pseudo
Hello Team,
Under DISTRO_VERSION = "2.0.2" ("jethro"), I was using the attached
“setcap.patch” on pseudo_1.7.4 to get POSIX capability set in the files as
below :
pkg_postinst_${PN}() {
setcap cap_net_raw+ep $D$bindir/helloworld
}
This was working fine.
However, recently switched to DISTRO_VERSION = "2.2.2" ("morty") -
pseudo_1.8.1, where the patch is getting applied but the POSIX capabilities are
not getting set.
Can someone help here?
Regards
Shrawan
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] POSIX capability broken pseudo
Hello Team,
Under DISTRO_VERSION = "2.0.2" ("jethro"), I was using the attached
“setcap.patch” on pseudo_1.7.4 to get POSIX capability set in the files as
below :
pkg_postinst_${PN}() {
setcap cap_net_raw+ep $D$bindir/helloworld
}
This was working fine.
However, recently switched to DISTRO_VERSION = "2.2.2" ("morty") -
pseudo_1.8.1, where the patch is getting applied but the POSIX capabilities are
not getting set.
Can someone help here?
Regards
Shrawan
setcap.patch
Description: setcap.patch
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] removal of user & group from sysroot when recipe/package is cleaned
Hello Team, Referring to the patch below regarding removal of user & group from sysroot when recipe/package is cleaned using clean/cleansstate/cleanall : https://patchwork.openembedded.org/patch/119549/ Has this patch been up streamed ? Regards Shrawan -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] [EXTERNAL] Re: want to execute a script having sudo : sudo cryptsetup
Hello Team, Referring to the patch below regarding removal of user & group from sysroot when recipe/package is cleaned using clean/cleansstate/cleanall : https://patchwork.openembedded.org/patch/119549/ Has this patch been up streamed ? Regards Shrawan From: John Finley [mailto:john.fin...@gmail.com] Sent: 27 September 2017 22:58 To: Khem Raj <raj.k...@gmail.com> Cc: Kumar, Shrawan <shrawan.ku...@harman.com>; connect.shra...@gmail.com; yocto@yoctoproject.org Subject: [EXTERNAL] Re: [yocto] want to execute a script having sudo : sudo cryptsetup pseudo can't do some of the cryptsetup functions that really require root, or at least I could not convince it to. Using sudo is not so good, but I don't think there's an easy way around it for the cryptsetup stuff. On Wed, Sep 27, 2017 at 10:22 AM, Khem Raj <raj.k...@gmail.com<mailto:raj.k...@gmail.com>> wrote: On Wed, Sep 27, 2017 at 9:21 AM John Finley <john.fin...@gmail.com<mailto:john.fin...@gmail.com>> wrote: Try making it so the user doing the build is not prompted for a password when they do "sudo". I have this in my vm: I think you can leverage pseudo tool to emulate the root user during build john@vbox-ubuntu-16$ cat /etc/sudoers.d/john john ALL=(ALL) NOPASSWD: ALL john@vbox-ubuntu-16$ I don't know if that's all that's needed; I have to google it every time. On Mon, Sep 25, 2017 at 2:48 AM, Kumar, Shrawan <shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote: Hello Team , I am trying to achieve below from yocto , do we have a way ? dd if=/dev/zero of=hello.enc bs=4k count=$400 mknod /dev/loop_dev_0 losetup /dev/loop_dev_0 hello.enc sudo cryptsetup --type=plain open /dev/loop_dev_0 plainMap < $2 Thanks and Regards Shrawan -- ___ yocto mailing list yocto@yoctoproject.org<mailto:yocto@yoctoproject.org> https://lists.yoctoproject.org/listinfo/yocto<https://clicktime.symantec.com/a/1/MOxSc3tHYimtXz88Uyw80L_8ty0Knji8zD20dvdKy5I=?d=RKN7OsB9MIpXzcBpMHBnqKcb1Fp4icnioT1vSaxtWISHXsnxsOkCjTBMJtEQE5zmwppGt2FSTDf6O8RZUpjOB5J_-rvQ15c_kGcEIGzDdn_QK9kNRYB7uWrGs1ltwQc4bJ2NIdtmoV1SDP5IeGDQ-lO-VCEQCoFAlR-3NcvECednv8-PyNJ3TSzWpn5hOVIf29_J8B-dElh7CNVHaZW_3R5op5VfdJFNT3e4CTXaXXK3PlXTyu8ppHLUeQciuXYRA_kwYHxbE8ALU1A8yX1D7XqhCzAGsrs59jxhD1n1FY4QnKrKJ1b03YaP61d2Pzb_GnyFAi4k66oLWl-Y_h1ySGsdvNNnyGVlrXID_wxD9IkGmXc5qFEPtweylwycMrffg_QvyrnHMmdFgY343MXny-JJEnoE15zcGLORhnfECIyEQ90-sWaPAVAem3riPhc%3D=https%3A%2F%2Flists.yoctoproject.org%2Flistinfo%2Fyocto> -- ___ yocto mailing list yocto@yoctoproject.org<mailto:yocto@yoctoproject.org> https://lists.yoctoproject.org/listinfo/yocto<https://clicktime.symantec.com/a/1/MOxSc3tHYimtXz88Uyw80L_8ty0Knji8zD20dvdKy5I=?d=RKN7OsB9MIpXzcBpMHBnqKcb1Fp4icnioT1vSaxtWISHXsnxsOkCjTBMJtEQE5zmwppGt2FSTDf6O8RZUpjOB5J_-rvQ15c_kGcEIGzDdn_QK9kNRYB7uWrGs1ltwQc4bJ2NIdtmoV1SDP5IeGDQ-lO-VCEQCoFAlR-3NcvECednv8-PyNJ3TSzWpn5hOVIf29_J8B-dElh7CNVHaZW_3R5op5VfdJFNT3e4CTXaXXK3PlXTyu8ppHLUeQciuXYRA_kwYHxbE8ALU1A8yX1D7XqhCzAGsrs59jxhD1n1FY4QnKrKJ1b03YaP61d2Pzb_GnyFAi4k66oLWl-Y_h1ySGsdvNNnyGVlrXID_wxD9IkGmXc5qFEPtweylwycMrffg_QvyrnHMmdFgY343MXny-JJEnoE15zcGLORhnfECIyEQ90-sWaPAVAem3riPhc%3D=https%3A%2F%2Flists.yoctoproject.org%2Flistinfo%2Fyocto> -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] want to execute a script having sudo : sudo cryptsetup
Hello Team , I am trying to achieve below from yocto , do we have a way ? dd if=/dev/zero of=hello.enc bs=4k count=$400 mknod /dev/loop_dev_0 losetup /dev/loop_dev_0 hello.enc sudo cryptsetup --type=plain open /dev/loop_dev_0 plainMap < $2 Thanks and Regards Shrawan -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] rootfs encryption support
To add further information to the query , I am executing "cryptsetup" from a
recipe as below : (Yocto 2.0.2)
fakeroot do_install() {
cryptsetup --type=plain open hello.enc demomap < dm-crypt-key
}
Additional debug log :
+ do_install
| + cryptsetup --type=plain open
/path_to/tmp/work/cortexa9hf-vfp-neon-elina-linux-gnueabi/DM-CryptSetup/1.0-r0/hello.enc
demomap
| Cannot initialize device-mapper. Is dm_mod kernel module loaded?
|
| Cannot initialize device-mapper. Is dm_mod kernel module loaded?
| + bb_exit_handler
Ideally , I was under impression that "fakeroot" shall have allowed to me
achieve the goal.
Thanks & Regads
Shrawan
From: Kumar, Shrawan
Sent: Tuesday, September 26, 2017 10:56 AM
To: 'yocto@yoctoproject.org' <yocto@yoctoproject.org>
Subject: rootfs encryption support
Hello Team ,
Is it possible to get encrypted rootfs during image build ?
Currently , I am running "cryptsetup" (as sudo) manually after the final
image(rootfs.ext4) is produced . The idea is to get this done within yocto
environment without sudo problem .
Thanks and Regards
Shrawan
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] rootfs encryption support
Hello Team , Is it possible to get encrypted rootfs during image build ? Currently , I am running "cryptsetup" (as sudo) manually after the final image(rootfs.ext4) is produced . The idea is to get this done within yocto environment without sudo problem . Thanks and Regards Shrawan -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] want to execute a script having sudo : sudo cryptsetup
Hello Team , I am trying to achieve below from yocto , do we have a way ? dd if=/dev/zero of=hello.enc bs=4k count=$400 mknod /dev/loop_dev_0 losetup /dev/loop_dev_0 hello.enc sudo cryptsetup --type=plain open /dev/loop_dev_0 plainMap < $2 Thanks and Regards Shrawan -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
[yocto] setting security attributes to device file(/dev/ipc)
Hello Team , I want to set ACL and SMACK/SELinux rules to device files (line /dev/ipc2 /dev/galcore etc .. ) from the build system . But device files are dynamically populated at runtime. Do we have some way in "Yocto" to achieve the goal ? Thanks & Regards Shrawan -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs
Hello Team ,
I am trying to set extended attributes using below post inst . I am able to
preserve the setcap and smack attributes in the ext4 image. However, I am
getting "Invalid argument " when I run getfacl/setfacl in qemu target . As said
earlier all the 3 attributes are seen using devshell in the rootfs folder.
pkg_postinst_${PN}() {
setfacl -m u:user2:r-- $D${bindir}/helloworld
setcap cap_net_raw+ep $D${bindir}/helloworld
chsmack -a "helloWorldAccessLabel" -e "helloWorldExecuteLabel"
$D${bindir}/helloworld
}
When I was using " e2fsprogs_1.42.9.bb the POSIX caps and smack rules were not
getting preserved but acl attributes were getting preserved now opposite is
happening .
@Joshua/Team
Can somebody help here ? This is bit urgent and I have been struggling for
quite some time.
Note :I have set the inode size to be 256 while creating the ext4 image.
Thanks and REgads
Shrawan
-Original Message-
From: yocto-boun...@yoctoproject.org [mailto:yocto-boun...@yoctoproject.org] On
Behalf Of Kumar, Shrawan
Sent: Thursday, October 27, 2016 6:26 PM
To: Joshua G Lock; yocto@yoctoproject.org
Subject: Re: [yocto] Access Control List (ACL) permissions attributes not
getting preserved in rootfs
Hello All,
Further update on this issue , migrated to "e2fsprogs_1.43.bb" from
"e2fsprogs_1.42.9.bb" . It is observed that the ACL permission set are visible
on dev-shell but when qemu is launched we get below error :
root@qemux86:#getfacl /usr/bin/helloworld
getfacl: /usr/bin/helloworld: Invalid argument
Also,
root@qemux86:# setfacl -m u:user2:r-- /usr/bin/helloworld
setfacl: /usr/bin/helloworld: Invalid argument
Thanks and Regards
Shrawan
-Original Message-
From: Joshua G Lock [mailto:joshua.g.l...@linux.intel.com]
Sent: Friday, August 12, 2016 7:22 PM
To: Kumar, Shrawan; yocto@yoctoproject.org
Subject: Re: [yocto] Access Control List (ACL) permissions attributes not
getting preserved in rootfs
On Fri, 2016-08-12 at 12:33 +, Kumar, Shrawan wrote:
> Hello All,
>
> I am using poky “ jethro” , and though one of my recipe, I have
> created user1 & user2 and then trying to set ACL rules on
> “helloworld” bin as below :
>
>
> do_install() {
> install -d ${D}${bindir}
> install -m 0700 helloworld ${D}${bindir}
> install -d ${D}/lib/systemd/system
> install -m 0700 hello.service
> ${D}/lib/systemd/system/
> chown user1:group1 ${D}${bindir}/helloworld
> setfacl -m u:user2:r-- ${D}${bindir}/helloworld }
>
>
> è When I see on the devshell ( bitbake HelloWorld –c devshell) :
> poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld , I could see
> that ACL permissions are set correctly as below :
> - # file: helloworld
> - # owner: user1
> - # group: group1
> - user::rwx
> - user:user2:r--
> - group::---
> - mask::r--
> - other::---
>
> However, It does not seems to be getting preserved in rootfs. :
> /poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld # file: helloworld #
> owner: user1 # group: group1 user::rwx
> group::---
> other::---
>
> quick help here would be highly appreciated
This is due to the fact that we don't currently have a mechanism to preserve
xattr through to image construction[1].
The largest barrier for doig so is that the package managers (certainly dpkg
and rpm) don't have any support for xattrs in packages (an image is populated
via the package manager).
To the best of my knowledge the only option for adding some xattr/ACL is to use
a postinst[2] to set the attributes after the package has been installed.
Regards,
Joshua
1. https://bugzilla.yoctoproject.org/show_bug.cgi?id=9858
2. http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-
recipe-post-installation-scripts
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs
Hello All,
Further update on this issue , migrated to "e2fsprogs_1.43.bb" from
"e2fsprogs_1.42.9.bb" . It is observed that the ACL permission set are visible
on dev-shell but when qemu is launched we get below error :
root@qemux86:#getfacl /usr/bin/helloworld
getfacl: /usr/bin/helloworld: Invalid argument
Also,
root@qemux86:# setfacl -m u:user2:r-- /usr/bin/helloworld
setfacl: /usr/bin/helloworld: Invalid argument
Is this known and fixed already ?
Google shows that similar observations are seen , are they related ?
https://www.suse.com/support/kb/doc?id=7003064
https://bbs.archlinux.org/viewtopic.php?id=211463
https://access.redhat.com/solutions/752523
Thanks and Regards
Shrawan
-Original Message-
From: Joshua G Lock [mailto:joshua.g.l...@linux.intel.com]
Sent: Friday, August 12, 2016 7:22 PM
To: Kumar, Shrawan; yocto@yoctoproject.org
Subject: Re: [yocto] Access Control List (ACL) permissions attributes not
getting preserved in rootfs
On Fri, 2016-08-12 at 12:33 +, Kumar, Shrawan wrote:
> Hello All,
>
> I am using poky “ jethro” , and though one of my recipe, I have
> created user1 & user2 and then trying to set ACL rules on
> “helloworld” bin as below :
>
>
> do_install() {
> install -d ${D}${bindir}
> install -m 0700 helloworld ${D}${bindir}
> install -d ${D}/lib/systemd/system
> install -m 0700 hello.service
> ${D}/lib/systemd/system/
> chown user1:group1 ${D}${bindir}/helloworld
> setfacl -m u:user2:r-- ${D}${bindir}/helloworld }
>
>
> è When I see on the devshell ( bitbake HelloWorld –c devshell) :
> poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld , I could see
> that ACL permissions are set correctly as below :
> - # file: helloworld
> - # owner: user1
> - # group: group1
> - user::rwx
> - user:user2:r--
> - group::---
> - mask::r--
> - other::---
>
> However, It does not seems to be getting preserved in rootfs. :
> /poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld # file: helloworld #
> owner: user1 # group: group1 user::rwx
> group::---
> other::---
>
> quick help here would be highly appreciated
This is due to the fact that we don't currently have a mechanism to preserve
xattr through to image construction[1].
The largest barrier for doig so is that the package managers (certainly dpkg
and rpm) don't have any support for xattrs in packages (an image is populated
via the package manager).
To the best of my knowledge the only option for adding some xattr/ACL is to use
a postinst[2] to set the attributes after the package has been installed.
Regards,
Joshua
1. https://bugzilla.yoctoproject.org/show_bug.cgi?id=9858
2. http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-
recipe-post-installation-scripts
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs
Hello Joshua,
We did not want bins like setfacl,setcap,chsmack etc.. to be kept on target .
- wanted to understand "how does this postscript gets copied to target and at
which path"?
- I will have multiple recipe that will have this postscript to set respective
packages bin's "acl" permissions and "smack" rules. Is it possible that after
executing all the post script from all the recipes , I shall be able to
uninstall the acl and smack rpms ? Same applies for "setcap" rpms.
- Do you have near plan to fix these :) ?
Thanks and Regards
Shrawan
-Original Message-
From: Joshua G Lock [mailto:joshua.g.l...@linux.intel.com]
Sent: Wednesday, August 17, 2016 1:22 AM
To: Kumar, Shrawan; yocto@yoctoproject.org
Subject: Re: [yocto] Access Control List (ACL) permissions attributes not
getting preserved in rootfs
On Tue, 2016-08-16 at 11:55 +, Kumar, Shrawan wrote:
> Thanks Joshua,
>
> "postinst" works!! I could see the attributes set under
> "poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/".
>
> However, I still could not see the attributes after booting qemu. It
> seems during rootfs.ext4 (mkfs.ext4 command )creation when
> "create_image_ext4.sh" is called , again this is getting lost.
>
> Any idea on this ?
I'm not sure why the attribute isn't preserved in the image, it could be a
another missing piece for me to track in the quest to better support xattr.
There is a way to work around it, though — you can force the postinst to be run
on the target at first boot, as documented in that same manual section. For
example I have a test recipe with:
8<snip
pkg_postinst_${PN}() {
chown foo:foo $D${datadir}/xattrtest/xattrtest
# Force setfacl to run on the target, not at image creation
if [ x"$D" = "x" ]; then
setfacl -m u:bar:r-- $D${datadir}/xattrtest/xattrtest
else
exit 1
fi
}
USERADD_PACKAGES = "${PN}"
USERADD_PARAM_${PN} = "-m foo;-m bar"
RDEPENDS_${PN} += "acl"
8<snip
which results in:
$ getfacl /usr/share/xattrtest/xattrtest
getfacl: Removing leading '/' from absolute path names # file
/usr/share/xattrtest/xattrtest # owner: foo # group: foo
user::rw-
user:bar:r--
group::r--
mask::r--
other::r--
The downside here is that your image has to include postinst support and the
acl package (per the RDEPENDS_${PN} line in the snippet above).
Regards,
Joshua
>
> Regards
> Shrawan
>
>
>
>
>
> -Original Message-
> From: Joshua G Lock [mailto:joshua.g.l...@linux.intel.com]
> Sent: Friday, August 12, 2016 7:22 PM
> To: Kumar, Shrawan; yocto@yoctoproject.org
> Subject: Re: [yocto] Access Control List (ACL) permissions attributes
> not getting preserved in rootfs
>
> On Fri, 2016-08-12 at 12:33 +, Kumar, Shrawan wrote:
> >
> > Hello All,
> >
> > I am using poky “ jethro” , and though one of my recipe, I have
> > created user1 & user2 and then trying to set ACL rules on
> > “helloworld” bin as below :
> >
> >
> > do_install() {
> > install -d ${D}${bindir}
> > install -m 0700 helloworld ${D}${bindir}
> > install -d ${D}/lib/systemd/system
> > install -m 0700 hello.service
> > ${D}/lib/systemd/system/
> > chown user1:group1 ${D}${bindir}/helloworld
> > setfacl -m u:user2:r-- ${D}${bindir}/helloworld }
> >
> >
> > è When I see on the devshell ( bitbake HelloWorld –c devshell) :
> > poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> > minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld , I could see
> > that ACL permissions are set correctly as below :
> > - # file: helloworld
> > - # owner: user1
> > - # group: group1
> > - user::rwx
> > - user:user2:r--
> > - group::---
> > - mask::r--
> > - other::---
> >
> > However, It does not seems to be getting preserved in rootfs. :
> > /poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> > minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld # file:
> > helloworld #
> > owner: user1 # group: group1 user::rwx
> > group::---
> > other::---
> >
> > quick help here would be highly appreciated
>
> This is due to the fact that we don't currently have a mechanism to
> preserve xattr through to image construction[1].
>
> The largest barrier for doig so is that the package managers
> (certainly dpkg and
Re: [yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs
Thanks Joshua,
"postinst" works!! I could see the attributes set under
"poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/rootfs/".
However, I still could not see the attributes after booting qemu. It seems
during rootfs.ext4 (mkfs.ext4 command )creation when "create_image_ext4.sh" is
called , again this is getting lost.
Any idea on this ?
Regards
Shrawan
-Original Message-
From: Joshua G Lock [mailto:joshua.g.l...@linux.intel.com]
Sent: Friday, August 12, 2016 7:22 PM
To: Kumar, Shrawan; yocto@yoctoproject.org
Subject: Re: [yocto] Access Control List (ACL) permissions attributes not
getting preserved in rootfs
On Fri, 2016-08-12 at 12:33 +, Kumar, Shrawan wrote:
> Hello All,
>
> I am using poky “ jethro” , and though one of my recipe, I have
> created user1 & user2 and then trying to set ACL rules on
> “helloworld” bin as below :
>
>
> do_install() {
> install -d ${D}${bindir}
> install -m 0700 helloworld ${D}${bindir}
> install -d ${D}/lib/systemd/system
> install -m 0700 hello.service
> ${D}/lib/systemd/system/
> chown user1:group1 ${D}${bindir}/helloworld
> setfacl -m u:user2:r-- ${D}${bindir}/helloworld }
>
>
> è When I see on the devshell ( bitbake HelloWorld –c devshell) :
> poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld , I could see
> that ACL permissions are set correctly as below :
> - # file: helloworld
> - # owner: user1
> - # group: group1
> - user::rwx
> - user:user2:r--
> - group::---
> - mask::r--
> - other::---
>
> However, It does not seems to be getting preserved in rootfs. :
> /poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-
> minimal/1.0-r0/rootfs/usr/bin# getfacl helloworld # file: helloworld #
> owner: user1 # group: group1 user::rwx
> group::---
> other::---
>
> quick help here would be highly appreciated
This is due to the fact that we don't currently have a mechanism to preserve
xattr through to image construction[1].
The largest barrier for doig so is that the package managers (certainly dpkg
and rpm) don't have any support for xattrs in packages (an image is populated
via the package manager).
To the best of my knowledge the only option for adding some xattr/ACL is to use
a postinst[2] to set the attributes after the package has been installed.
Regards,
Joshua
1. https://bugzilla.yoctoproject.org/show_bug.cgi?id=9858
2. http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-
recipe-post-installation-scripts
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] Access Control List (ACL) permissions attributes not getting preserved in rootfs
Hello All,
I am using poky " jethro" , and though one of my recipe, I have created
user1 & user2 and then trying to set ACL rules on "helloworld" bin as below :
do_install() {
install -d ${D}${bindir}
install -m 0700 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0700 hello.service ${D}/lib/systemd/system/
chownuser1:group1 ${D}${bindir}/helloworld
setfacl -m u:user2:r-- ${D}${bindir}/helloworld
}
è When I see on the devshell ( bitbake HelloWorld -c devshell) :
poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/rootfs/usr/bin#
getfacl helloworld, I could see that ACL permissions are set correctly as
below :
-# file: helloworld
-# owner: user1
-# group: group1
-user::rwx
-user:user2:r--
-group::---
-mask::r--
-other::---
However, It does not seems to be getting preserved in rootfs. :
/poky/build_qemux86/tmp/work/qemux86-poky-linux/core-image-minimal/1.0-r0/rootfs/usr/bin#
getfacl helloworld
# file: helloworld
# owner: user1
# group: group1
user::rwx
group::---
other::---
quick help here would be highly appreciated
Thanks & Regards
Shrawan
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] useradd does not creates user in rootfs but sysroot ?
Dear Team, Downloaded " krogoth" release , with intension to use the above bb file to create users( user1,user2 etc.) The expectation was that the users should get created in the "rootfs" . But to dismay, this get created in the sysroot (poky/build/tmp/sysroots/qemux86/etc/passwd). This works as expected in "jethro" release. Do we have alternate way to achieve the same in " krogoth" release ? Regards Shrawan useradd-example.bb Description: useradd-example.bb -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] setcap using recipe
Hello Ross, Post-installation scripts run immediately after installing a package on the target or during image creation when a package is included in an image. Does it not mean that we can set the file attributes(setcap) during image creation ? I understand the delayed approach of executing it on the target, but my requirement is to do it on the build host. We do not want “setcap” utility to be present on the target. Regards Shrawan From: Burton, Ross [mailto:ross.bur...@intel.com] Sent: Saturday, July 02, 2016 2:56 PM To: Kumar, Shrawan Cc: Daniel.; Mathieu Allard; yocto@yoctoproject.org Subject: Re: [yocto] setcap using recipe On 2 July 2016 at 10:22, Kumar, Shrawan <shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote: Can someone review the attached recipe and help solve the problem statement ? As has been said, you need to ensure the postinst is delayed so it runs on the target and not on the build host. http://www.yoctoproject.org/docs/2.1/dev-manual/dev-manual.html#new-recipe-post-installation-scripts Ross -- ___ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] setcap using recipe
Dear All,
The aim of my exercise is to apply "setcap " on an executable during rootfs
creation.
I should be able to view the set capability using getcap utility when this
rootfs is mounted on the target.
As I said earlier none of the suggested approach is working here.Currently I am
qemux86 is my target.
Can someone review the attached recipe and help solve the problem statement ?
Regards
Shrawan
-Original Message-
From: Daniel. [mailto:danielhi...@gmail.com]
Sent: Friday, July 01, 2016 7:54 PM
To: Mathieu Allard
Cc: Kumar, Shrawan; yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe
Hmmm I see,
Well, I didn't note that. And yeah, that command should be ran at first boot,
(that feature saved my life a bunch of times :) )
Regards,
2016-07-01 11:03 GMT-03:00 Mathieu Allard <mathieu.all...@evalan.com>:
> Hello,
>
> I think that the main issue here is that the pkg_postinst function runs its
> action at the rootfs creation time, and not on the target as advised by Ross.
>
> The chapter 5.3.16, "post-installation scripts" in the mega-manual offers
> some detailed explanations on how to make it run after the first boot.
>
>
> Regards,
>
> Mathieu
>
>
> - Original Message -
> From: "Daniel." <danielhi...@gmail.com>
> To: "Kumar, Shrawan" <shrawan.ku...@harman.com>
> Cc: yocto@yoctoproject.org
> Sent: Friday, July 1, 2016 3:54:15 PM
> Subject: Re: [yocto] setcap using recipe
>
> Does your target filesystem support it? ubifs doesn't :(
> http://www.linux-mtd.infradead.org/doc/ubifs.html#L_xattr
>
> 2016-07-01 9:53 GMT-03:00 Kumar, Shrawan <shrawan.ku...@harman.com>:
>> Hello Ross,
>>
>>
>>
>> None of the approach is working . I have attached the recipe where
>> I am trying to execute postinst . It builds successfully , But when I
>> run getcap on the target , does not return the set capabilities.
>>
>>
>>
>> Help will be highly appreciated .
>>
>>
>>
>> Regards
>>
>> Shrawan
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 6:40 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> Looks like using setcap directly is broken currently, there are two
>> workarounds:
>>
>>
>>
>> 1) use a postinst to invoke setcap on the target instead
>>
>> 2) test the patch for pseudo that is on this list ([PATCH] Add capset
>> pseudo function that always succeeds) and verify that it fixes the problem
>> for you.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:31, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>>
>> I am using Yocto 2.0.2
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 5:56 PM
>>
>>
>> To: Kumar, Shrawan
>> Cc: yocto@yoctoproject.org
>> Subject: Re: [yocto] setcap using recipe
>>
>>
>>
>> What version of OE/Yocto are you using? Old versions of pseudo
>> didn't support xattrs at all.
>>
>>
>>
>> Ross
>>
>>
>>
>> On 24 June 2016 at 13:23, Kumar, Shrawan <shrawan.ku...@harman.com> wrote:
>>
>> Thanks Ross for your quick turn around , I am getting below error
>>
>>
>>
>> “Unable le to set CAP_SETFCAP effective capability: Operation not
>> permitted.”
>>
>>
>>
>> But when I use# sudo setcap cap_net_raw+ep helloworldon command
>> line I am able to set the cap.
>>
>>
>>
>> To achieve the sudo realization in recipe , I tried as below , but
>> no luck…… Can you suggest something here ?
>>
>>
>>
>> fakeroot do_install() {
>>
>> install -d ${D}${bindir}
>>
>> install -m 0755 helloworld ${D}${bindir}
>>
>> install -d ${D}/lib/systemd/system
>>
>> install -m 0755 hello.service
>> ${D}/lib/systemd/system/
>>
>> setcap cap_net_raw+ep ${D}${bindir}/helloworld
>>
>>
>>
>> }
>>
>>
>>
>> Thanks and Regards
>>
>> Shrawan
>>
>>
>>
>> From: Burton, Ross [mailto:ross.bur...@intel.com]
>> Sent: Friday, June 24, 2016 5:09 PM
>> To: Kumar, Shrawan
>> Cc: yocto@yoctop
Re: [yocto] setcap using recipe
Hello Ross,
None of the approach is working . I have attached the recipe where I am
trying to execute postinst . It builds successfully , But when I run getcap on
the target , does not return the set capabilities.
Help will be highly appreciated .
Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe
Looks like using setcap directly is broken currently, there are two workarounds:
1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
function that always succeeds) and verify that it fixes the problem for you.
Ross
On 24 June 2016 at 13:31, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo didn't support
xattrs at all.
Ross
On 24 June 2016 at 13:23, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”
But when I use# sudo setcap cap_net_raw+ep helloworldon command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no luck……
Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe
Hi,
On 24 June 2016 at 11:41, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
Example :
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself
?
capabilities on files are just extended attributes, so assuming that you have a
fairly recent Yocto and your host and target filesystems support extended
attributes, yes this should work.
Ross
HelloWorld_0.1.bb
Description: HelloWorld_0.1.bb
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] setcap using recipe
Hello Ross,
Could your update on my issues ?
Regards
Shrawan
From: yocto-boun...@yoctoproject.org [mailto:yocto-boun...@yoctoproject.org] On
Behalf Of Kumar, Shrawan
Sent: Monday, June 27, 2016 12:04 PM
To: Burton, Ross
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe
Hello Ross,
Against which version this patch is applicable . I am using pseudo-1.7.4 and
could not find capset.c file under “ports/linux/guts/ directory .
Can you please help here ?
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe
Looks like using setcap directly is broken currently, there are two workarounds:
1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
function that always succeeds) and verify that it fixes the problem for you.
Ross
On 24 June 2016 at 13:31, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo didn't support
xattrs at all.
Ross
On 24 June 2016 at 13:23, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”
But when I use# sudo setcap cap_net_raw+ep helloworldon command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no luck……
Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe
Hi,
On 24 June 2016 at 11:41, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
Example :
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself
?
capabilities on files are just extended attributes, so assuming that you have a
fairly recent Yocto and your host and target filesystems support extended
attributes, yes this should work.
Ross
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] setcap using recipe
Hello Ross,
Against which version this patch is applicable . I am using pseudo-1.7.4 and
could not find capset.c file under “ports/linux/guts/ directory .
Can you please help here ?
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 6:40 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe
Looks like using setcap directly is broken currently, there are two workarounds:
1) use a postinst to invoke setcap on the target instead
2) test the patch for pseudo that is on this list ([PATCH] Add capset pseudo
function that always succeeds) and verify that it fixes the problem for you.
Ross
On 24 June 2016 at 13:31, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo didn't support
xattrs at all.
Ross
On 24 June 2016 at 13:23, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”
But when I use# sudo setcap cap_net_raw+ep helloworldon command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no luck……
Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe
Hi,
On 24 June 2016 at 11:41, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
Example :
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself
?
capabilities on files are just extended attributes, so assuming that you have a
fairly recent Yocto and your host and target filesystems support extended
attributes, yes this should work.
Ross
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] setcap using recipe
I am using Yocto 2.0.2
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 5:56 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe
What version of OE/Yocto are you using? Old versions of pseudo didn't support
xattrs at all.
Ross
On 24 June 2016 at 13:23, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”
But when I use# sudo setcap cap_net_raw+ep helloworldon command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no luck……
Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com<mailto:ross.bur...@intel.com>]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org<mailto:yocto@yoctoproject.org>
Subject: Re: [yocto] setcap using recipe
Hi,
On 24 June 2016 at 11:41, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
Example :
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself
?
capabilities on files are just extended attributes, so assuming that you have a
fairly recent Yocto and your host and target filesystems support extended
attributes, yes this should work.
Ross
HelloWorld_0.1.bb
Description: HelloWorld_0.1.bb
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
Re: [yocto] setcap using recipe
Thanks Ross for your quick turn around , I am getting below error
“Unable le to set CAP_SETFCAP effective capability: Operation not permitted.”
But when I use# sudo setcap cap_net_raw+ep helloworldon command
line I am able to set the cap.
To achieve the sudo realization in recipe , I tried as below , but no luck……
Can you suggest something here ?
fakeroot do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
Thanks and Regards
Shrawan
From: Burton, Ross [mailto:ross.bur...@intel.com]
Sent: Friday, June 24, 2016 5:09 PM
To: Kumar, Shrawan
Cc: yocto@yoctoproject.org
Subject: Re: [yocto] setcap using recipe
Hi,
On 24 June 2016 at 11:41, Kumar, Shrawan
<shrawan.ku...@harman.com<mailto:shrawan.ku...@harman.com>> wrote:
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
Example :
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself
?
capabilities on files are just extended attributes, so assuming that you have a
fairly recent Yocto and your host and target filesystems support extended
attributes, yes this should work.
Ross
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
[yocto] setcap using recipe
Hello All,
Is there a way to add a capability to a binary (cap_net_raw+ep),into a recipe?
Example :
do_install() {
install -d ${D}${bindir}
install -m 0755 helloworld ${D}${bindir}
install -d ${D}/lib/systemd/system
install -m 0755 hello.service ${D}/lib/systemd/system/
setcap cap_net_raw+ep ${D}${bindir}/helloworld
}
If yes is this correct approach to achieve the same from package recipe itself
?
Thanks and Regards
Shrawan
--
___
yocto mailing list
yocto@yoctoproject.org
https://lists.yoctoproject.org/listinfo/yocto
