Re: Set linux capabilities on binary on a recipe in meta-oe layer

From: Markus W <markus4dev@gmail.com>
To: tworaz666@gmail.com
Cc: yocto@yoctoproject.org
Subject: Re: Set linux capabilities on binary on a recipe in meta-oe layer
Date: Fri, 9 Nov 2018 11:16:11 +0100	[thread overview]
Message-ID: <CAFd=ocgV2baea-PsHJ9N9OiTS-rTQ-mux=7qwxmCU=Y8JBJ+Aw@mail.gmail.com> (raw)
In-Reply-To: <3658853.D14kAIKcfP@stinger>

[-- Attachment #1: Type: text/plain, Size: 2688 bytes --]

Thanks Piotr, that worked!

How can this be achieved when the rootfs is created and not on first boot?
I would like not to ship libcap binaries with the target in production.

/Markus

On Thu, 8 Nov 2018 at 22:53, Piotr Tworek <tworaz666@gmail.com> wrote:

> Hi Markus,
>
> Have you tried doing it in the postinst step executed on your target? Try:
>
> pkg_postinst_ontarget_${PN} () {
>     setcap cap_net_raw+eip $D${bindir}/node
> }
>
> RDEPENDS_${PN} += "libcap-bin"
>
> /ptw
>
> > I have tested to set capabilities on the node binary within a custom
> recipe
> > (custom layer) but that failed.
> >
> > pkg_postinst_${PN} () {
> >     setcap cap_net_raw+eip $D${bindir}/node
> > }
> > PACKAGE_WRITE_DEPS = "libcap-native"
> > RDEPENDS_${PN} = "libcap"
> >
> > The error message:
> >
> > ERROR: core-image-full-cmdline-1.0-r0 do_rootfs: [log_check]
> > core-image-full-cmdline: found 1 error message in the logfile:
> > [log_check] Failed to set capabilities on file
> >
> `/home/ubuntu/yocto-sumo/build/tmp/work/raspberrypi3-poky-linux-gnueabi/core
> > -image-full-cmdline/1.0-r0/rootfs/usr/bin/node' (No such file or
> directory)
> >
> > When I check the node binary is there in the rootfs directory. It seems
> > that when the the pkg_postinst function is executed the node binary is
> not
> > there.
> >
> > What am I missing? Any answer is much appreciated!
> >
> > Regards,
> > Markus
> >
> > On Wed, 7 Nov 2018 at 11:32, Markus W <markus4dev@gmail.com> wrote:
> > > Hi!
> > >
> > > Background:
> > > In my raspberry project I am developing a nodejs app that needs access
> to
> > > bluetooth/ble device. I want to run the node application as non root
> user
> > > for security reasons. In order to get access from within the app, the
> node
> > > binary need to have the following capability cap_net_raw+eip set. I am
> > > using the nodejs recipe from meta-oe and added it in my local.conf:
> > >
> > > IMAGE_INSTALL_append = " nodejs i2c-tools bluez5 kernel-image
> > > kernel-devicetree"
> > >
> > > Question:
> > > Where should I apply the following command? setcap cap_net_raw+eip
> > > /usr/bin/node
> > >
> > > What are my options? Can I create a recipe in a different package that
> > > will apply the above command on the meta-oe package for the nodejs
> recipe?
> > >
> > > I have been following this thread (
> > > https://lists.yoctoproject.org/pipermail/yocto/2016-June/030811.html),
> > > but the node binaries and my node-app are in different layers and
> > > packages.
> > >
> > > Any advice how to do this is much appreciated?
> > >
> > > Regards,
> > > Markus
>
>
>
>
>

[-- Attachment #2: Type: text/html, Size: 3602 bytes --]