yocto的Linux功能 [英] Linux capabilities with yocto

问题描述

我想给Linux提供几个文件功能(例如CAP_NET_ADMIN). 我正在使用Yocto，并且我的文件系统应为只读文件，并且在刷新软件后不得更改(这意味着通常无法正常运行的带有setcap的pkg_postinst).

I want to give several files Linux capabilities (e.g. CAP_NET_ADMIN). I am using Yocto and my file system should be read-only and must not be changed after flashing the software (this means pkg_postinst with setcap that would usually work is not possible).

在启动目标之后，是否还有其他方法可以在不更改文件结构的情况下为文件提供功能?

Is there any other way to give capabilities to files without changing the file structure after booting the target?

推荐答案

pkg_postinst脚本，因此该方法有效.但是，您必须确保在脚本宿主中可以使用在脚本中调用的命令，否则脚本的执行将失败，并且将推迟到设备上的首次启动.如何确保setcap命令可用取决于Yocto发行版，这将在Yocto 2.3中更改.这是完整的示例食谱:

pkg_postinst scripts already get executed while building the read-only rootfs, so this approach works. You must ensure that the commands that you call in the script are available in the build host, though, otherwise execution of the script will fail and it gets deferred to the first boot on the device. How to ensure that the setcap command is available depends on the Yocto release, this will change in Yocto 2.3. Here's a complete example recipe:

LICENSE = "MIT"

do_install () {
    install -d ${D}/${bindir}
    touch ${D}/${bindir}/foobar
}

pkg_postinst_${PN} () {
    setcap cap_chown+e "$D/${bindir}/foobar"
}
# Dependency when installing on the target.
RDEPENDS_${PN} = "libcap"
# Dependency for rootfs construction, Yocto > 2.3.
PACKAGE_WRITE_DEPS = "libcap-native"
# Dependency for rootfs construction, Yocto <= 2.3 (untested).
# Enabling this makes builds slightly less efficient with
# Yocto > 2.3 because it implies that libcap-native is
# needed for building this recipe, which isn't the case.
# DEPENDS += "libcap-native"

请小心保存xattrs.默认的.tar图像格式会删除它们.从

Be careful to preserve xattrs. The default .tar image format drops them. From the top of https://github.com/01org/meta-intel-iot-security/blob/master/meta-security-framework/classes/xattr-images.bbclass:

# xattr support is expected to be compiled into mtd-utils. We just need to
# use it.
EXTRA_IMAGECMD_jffs2_append = " --with-xattr"

# By default, OE-core uses tar from the host, which may or may not have the
# --xattrs parameter which was introduced in 1.27. For image building we
# use a recent enough tar instead.
#
# The GNU documentation does not specify whether --xattrs-include is necessary.
# In practice, it turned out to be not needed when creating archives and
# required when extracting, but it seems prudent to use it in both cases.
IMAGE_DEPENDS_tar_append = " tar-replacement-native"
EXTRANATIVEPATH += "tar-native"
IMAGE_CMD_TAR = "tar --xattrs --xattrs-include=*"

如果有必要，将其放入您的图像配方中.

Put this into your image recipe, if it matters.

这篇关于yocto的Linux功能的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！