5

I intend to set some capabilities on binaries included in a Yocto image using "setcap". For some reason the solutions mentioned here did not work for me: Linux capabilities with yocto . I have checked that by running "getcap" on my binary within the rootfs creation directory:

getcap ${IMAGE_ROOTFS}/usr/bin/mybinary

does not return anything. Nor do I find the capabilities in the final running sdcard image.

Next I tried the approach using IMAGE_PREPROCESS_COMMAND. I wrapped up setcap commands in small shell functions such as:

my_setcap_function() {
    sudo setcap cap_ipc_owner+ep ${IMAGE_ROOTFS}/usr/bin/mybinary
}

and append the function names to IMAGE_PREPROCESS_COMMAND. This works to the extent that now running getcap on my binary within the {IMAGE_ROOTFS} directory does show the correct caps set. However I still do not get the capabilities in the final running sdcard image.

Also if I mount the rootfs ext4 (which is used to create the final sdcard image) on a directory using -o loop, I do not see the capabilities on my binary. It seems to me that the capabilitiess somehow get lost when the ext4 is created using mkfs.ext4.

I had to attach sudo to setcap because otherwise it complains saying "unable to set CAP_SETFCAP effective capability: Operation not permitted". Although my understanding was that IMAGE_PREPROCESS_COMMAND commands are run using fakeroot so this sudo should not be required.

So, to summarize my question:

  1. How can I get the capabilities on the sdcard image made using ext4 rootfs image?
  2. I want to use a way that does not require using "sudo".

I am using Yocto Krogoth and currently cannot upgrade that.

Rogue
  • 73
  • 1
  • 7
  • When you mount ext4 image, maybe you have to add `-o user_xattr` ? – Nayfe May 16 '18 at 19:56
  • @Nayfe Thanks for the comment. I just tried that, but didn't make a difference unfortunately. – Rogue May 17 '18 at 10:43
  • Any reason to stay on Krogoth? Maybe try the same thing on Rocko on qemu board to check if it is fixed afterwards? You can also join #yocto channel on [freenode irc](https://webchat.freenode.net/) for more help. – Nayfe May 17 '18 at 12:14
  • @Nayfe upgrading Yocto can help with the fakeroot setcap issue, as there was a patch for fixing that here: [link](http://yocto.yoctoproject.narkive.com/orjDseoQ/pseudo-patch-add-capset-pseudo-function-that-always-succeeds) – Rogue May 17 '18 at 16:53
  • The main issue is still that the call to mkfs.ext4 in poky/meta/classes/image_types.bbclass drops capabilities while copying from the {IMAGE_ROOTFS} directory to the ext4 image. And this is unchanged even in Sumo AFAIK. – Rogue May 17 '18 at 16:57
  • Maybe, you can bump e2fsprogs to latest commit, there are lots of xattr modifications in git log, for example [here](https://git.kernel.org/pub/scm/fs/ext2/e2fsprogs.git/commit/lib/ext2fs?id=50d0998cfee25d09dbddb8a10269a072d89aee14). – Nayfe May 17 '18 at 18:32
  • @Nayfe Thanks for the suggestion. I tried using e2fsprogs 1.43.8 but wasn't lucky. – Rogue May 29 '18 at 09:46
  • So far the only thing that worked for me was: adding a task after do_image_ext4 and before do_image_sdcard; in the task I mount the freshly created ext4 img on loop, apply the capabilities in the mounted ext4, just before it is used to create the sdcard image. This is very ugly and inconsistent and I would love to find a better way. – Rogue May 29 '18 at 09:50

1 Answers1

0

Did you really test it on the final image or in the rootfs folder from the yocto build?

I run getcap on the files in the rootfs folder, and there where nothing set.

Because yocto uses pseudo lib to intercept chown, chmod calls, track them in a sqlite db (uses LD_PRELOAD for interception).

So this attributes are not set for the files in the "rootfs" folder, however added at image/rootfs creation.

you can use setcap in recipe, you have to add

DEPENDS = "libcap-native"

in your recipe.

Antoine Thiry
  • 2,362
  • 4
  • 28
  • 42
xeniter
  • 11
  • 1