Use Linux setcap command to set capabilities during Yocto build

Question

I'm using Yocto 1.8 to build a linux system.

I need to use the command "setcap" to set files capabilities during build, which is introduced via libcap package recipe: http://cgit.openembedded.org/openembedded-core/tree/meta/recipes-support/libcap/libcap_2.25.bb?h=master

The problem is that the recipe provides libcap package, which is only the library, and another subpackage called libcap-bin which contains the binaries I need to use. But I couldn't build or use the libcap-bin-native package inside my recipe as a dependancy (using DEPENDS variable). so everytime I call "setcap" binary, Yocto uses the host binaries (Ubuntu 14.04 64-bit) not the build system ones (as it's not there).

I need to know how to include the native binaries built from libcap-bin package in my native sysroot buildsystem to be used during recipe execution.

Example recipe to use setcap command:

DESCRIPTION = "Apply  CAPs on files"
SECTION = "bin"
LICENSE = "CLOSED"

do_install() {
    install -d ${D}${bindir}
    touch ${D}${bindir}/testacl
}

DEPENDS = "libcap libcap-native"

#New task will be added to each recipe to apply attributes inside ipks
fakeroot do_setcaps() {
    setcap 'cap_sys_admin,cap_sys_rawio+ep' ${WORKDIR}/packages-split/${PN}${bindir}/testacl
}

#Adding the new task  just before do_package_write_ipk task
addtask setcaps before do_package_write_ipk after do_packagedata

This recipe is working fine, except that it uses the setcap command from my host system (Ubuntu 14.04 64-bit) which is located "/sbin/setcap"

The dependency package libcap-native only includes the library files inside my native sysroot, but not the binaries.

If I used this inside my recipe:

DEPENDS = "libcap-bin"

I got this error:

ERROR: Nothing PROVIDES 'libcap-bin'

I also saw this thread talking about the same topic: Linux capabilities with yocto

But he uses Yocto > 2.3 and I'm using Yocto 1.8 , and I can't update it right now.

Any help?

PS: I already updated my yocto build system to preserve ACLs and extended attributes during IPK creation, and it's working and being preserved inside the IPK, inside the rootfs, and on the target after flashing.

Answer 1

I found the solution. I had to add this to the libcap recipe

PACKAGECONFIG_class-native = "attr"

As the generated binaries (setcap & getcap) are depending on libattr, and this has to be configured manually.

I found that it's already configured for the target package

PACKAGECONFIG ??= "attr ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}"

Sorry for disturbing.

Answer 2

I can't comment yet so comment here.

The command setcap should be provided by libcap-native. And please double check whether it exists in tmp/work/x86_64-linux/libcap-native/2.25-r0/image/:

$ find tmp/work/x86_64-linux/libcap-native/2.25-r0/sysroot-destdir/ -name setcap tmp/work/x86_64-linux/libcap-native/2.25-r0/sysroot-destdir/buildarea3/kkang/cgp9/builds/qemumips64-Apr24/tmp/sysroots/x86_64-linux/usr/sbin/setcap

You can find setcap here after remove the prefix:

$ ls /buildarea3/kkang/cgp9/builds/qemumips64-Apr24/tmp/sysroots/x86_64-linux/usr/sbin/setcap /buildarea3/kkang/cgp9/builds/qemumips64-Apr24/tmp/sysroots/x86_64-linux/usr/sbin/setcap