I want to give several files Linux capabilities (e.g. CAP_NET_ADMIN). I am using Yocto and my file system should be read-only and must not be changed after flashing the software (this means pkg_postinst with setcap that would usually work is not possible).
Is there any other way to give capabilities to files without changing the file structure after booting the target?
pkg_postinst scripts already get executed while building the read-only rootfs, so this approach works. You must ensure that the commands that you call in the script are available in the build host, though, otherwise execution of the script will fail and it gets deferred to the first boot on the device. How to ensure that the setcap command is available depends on the Yocto release, this will change in Yocto 2.3. Here's a complete example recipe:
LICENSE = "MIT"
do_install () {
install -d ${D}/${bindir}
touch ${D}/${bindir}/foobar
}
pkg_postinst_${PN} () {
setcap cap_chown+e "$D/${bindir}/foobar"
}
# Dependency when installing on the target.
RDEPENDS_${PN} = "libcap"
# Dependency for rootfs construction, Yocto > 2.3.
PACKAGE_WRITE_DEPS = "libcap-native"
# Dependency for rootfs construction, Yocto <= 2.3 (untested).
# Enabling this makes builds slightly less efficient with
# Yocto > 2.3 because it implies that libcap-native is
# needed for building this recipe, which isn't the case.
# DEPENDS += "libcap-native"
Be careful to preserve xattrs. The default .tar image format drops them. From the top of https://github.com/01org/meta-intel-iot-security/blob/master/meta-security-framework/classes/xattr-images.bbclass:
# xattr support is expected to be compiled into mtd-utils. We just need to
# use it.
EXTRA_IMAGECMD_jffs2_append = " --with-xattr"
# By default, OE-core uses tar from the host, which may or may not have the
# --xattrs parameter which was introduced in 1.27. For image building we
# use a recent enough tar instead.
#
# The GNU documentation does not specify whether --xattrs-include is necessary.
# In practice, it turned out to be not needed when creating archives and
# required when extracting, but it seems prudent to use it in both cases.
IMAGE_DEPENDS_tar_append = " tar-replacement-native"
EXTRANATIVEPATH += "tar-native"
IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"
Put this into your image recipe, if it matters.
Finally I solved the problem by updating mtd-utils to mtd-utils-2.0.0 (mkfs.ubifs supports extended attributes).
Furthermore, I am now using IMAGE_PREPROCESS_COMMAND to set the capabilities directly before the image is processed.
来源:https://stackoverflow.com/questions/43067776/linux-capabilities-with-yocto