5

I want to give several files Linux capabilities (e.g. CAP_NET_ADMIN). I am using Yocto and my file system should be read-only and must not be changed after flashing the software (this means pkg_postinst with setcap that would usually work is not possible).

Is there any other way to give capabilities to files without changing the file structure after booting the target?

Quizard
  • 71
  • 1
  • 5

2 Answers2

4

pkg_postinst scripts already get executed while building the read-only rootfs, so this approach works. You must ensure that the commands that you call in the script are available in the build host, though, otherwise execution of the script will fail and it gets deferred to the first boot on the device. How to ensure that the setcap command is available depends on the Yocto release, this will change in Yocto 2.3. Here's a complete example recipe:

LICENSE = "MIT"

do_install () {
    install -d ${D}/${bindir}
    touch ${D}/${bindir}/foobar
}

pkg_postinst_${PN} () {
    setcap cap_chown+e "$D/${bindir}/foobar"
}
# Dependency when installing on the target.
RDEPENDS_${PN} = "libcap"
# Dependency for rootfs construction, Yocto > 2.3.
PACKAGE_WRITE_DEPS = "libcap-native"
# Dependency for rootfs construction, Yocto <= 2.3 (untested).
# Enabling this makes builds slightly less efficient with
# Yocto > 2.3 because it implies that libcap-native is
# needed for building this recipe, which isn't the case.
# DEPENDS += "libcap-native"

Be careful to preserve xattrs. The default .tar image format drops them. From the top of https://github.com/01org/meta-intel-iot-security/blob/master/meta-security-framework/classes/xattr-images.bbclass:

# xattr support is expected to be compiled into mtd-utils. We just need to
# use it.
EXTRA_IMAGECMD_jffs2_append = " --with-xattr"

# By default, OE-core uses tar from the host, which may or may not have the
# --xattrs parameter which was introduced in 1.27. For image building we
# use a recent enough tar instead.
#
# The GNU documentation does not specify whether --xattrs-include is necessary.
# In practice, it turned out to be not needed when creating archives and
# required when extracting, but it seems prudent to use it in both cases.
IMAGE_DEPENDS_tar_append = " tar-replacement-native"
EXTRANATIVEPATH += "tar-native"
IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"

Put this into your image recipe, if it matters.

Patrick Ohly
  • 712
  • 6
  • 8
  • Thanks for the answer. The question is now how to make the script not failing on the host. Now the error occurs that the script fails with: Exec format error of setcap – Quizard Mar 30 '17 at 12:35
  • We are using mkfs.ubifs. Does this preserve xattrs? – Quizard Mar 30 '17 at 12:35
  • I've figured out (again) how dependencies now need to be declared. It's not currently documented, documentation bug filed, too: https://bugzilla.yoctoproject.org/show_bug.cgi?id=11274 – Patrick Ohly Mar 31 '17 at 07:47
  • I don't know how ubifs handles xattrs. – Patrick Ohly Mar 31 '17 at 07:47
  • Is the variable PACKAGE_WRITE_DEPS also available in yocto 2.0? – Quizard Apr 04 '17 at 06:37
  • I think the pkg_postinst_${PN} should include shebang (#!/bin/sh -e) and the package should RDEPEND on libcap-bin (not libcap) as otherwise setcap may be unavailable during package install on target. – desowin Sep 07 '17 at 11:11
0

Finally I solved the problem by updating mtd-utils to mtd-utils-2.0.0 (mkfs.ubifs supports extended attributes).

Furthermore, I am now using IMAGE_PREPROCESS_COMMAND to set the capabilities directly before the image is processed.

Quizard
  • 71
  • 1
  • 5