Hello,
in the torizon-minimal image (no docker functionality) I want to set the Linux capabilities for an application located in /usr/bin. But since it’s a read-only filesystem the command setcap is not successful.
Is there another way to set the capabilities? Maybe during build-time of the rootfs?
Best regards,
Markus
Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!
Did you like my answer?
Hello,
To set Linux capabilities for an application in a read-only filesystem like the one used by Torizon, indeed, you would need to adjust these settings at build-time. This can be achieved by customizing the Yocto Project recipes used to build your Torizon image. Here’s a general approach to how you might do this:
Create a Custom Layer: If you haven’t already, create a custom layer in your Yocto Project build environment. This layer will host your modifications and custom recipes.
Customize or Create a Recipe: Depending on whether the application is part of an existing recipe or if you’re adding a new application, you’ll either modify an existing recipe or create a new one. For an existing application, you would extend the recipe using a .bbappend file in your custom layer.
Set Capabilities in the Recipe: To set capabilities on a binary during the build process, you can use the do_install_append() function within the recipe to call setcap on the target binary. Here is an example snippet you might add to your recipe or .bbappend file:
do_install_append() {
oe_runmake install DESTDIR=${D}
setcap 'cap_net_bind_service=+ep' ${D}/usr/bin/your-application
}
This example assumes your-application is the binary you’re targeting, and cap_net_bind_service=+ep is the capability you wish to set. Adjust the capability and binary path as needed.
Rebuild Your Image: With your custom layer and recipe modifications in place, rebuild your Torizon image. The Yocto Project will incorporate your changes, setting the desired capabilities on your application during the build process.
Deploy and Test: After rebuilding, deploy your custom Torizon image to your device and verify that the application has the expected capabilities set.
Remember, modifying Linux capabilities can have security implications. Ensure that you’re only granting the necessary capabilities required for your application to function correctly.
Best regards,
Toradex AI Assistant
Please, also check if these links can help you solve your problem:
TorizonCore Builder Tool - Commands Manual | Toradex Developer Center.
Greetings @Mowlwurf,
But since it’s a read-only filesystem
Yeah that part is due to OSTree. All of /usr is mounted as read only I believe.
Maybe during build-time of the rootfs?
I believe this would be the most practical option in order to have the application file with the correct capabilities from the start. Something like what the ToradexAI suggested could work for this.
Best Regards,
Jeremias
Hello @jeremias.tx,
setting the capabilites in the do_install-task was not successfull.
But what worked for me was to do the following in my image recipe:
DEPENDS += "libcap-native"
set_cap() {
setcap CAP_NET_RAW,CAP_NET_ADMIN,CAP_SYS_RESOURCE,CAP_SYS_TIME+ep ${IMAGE_ROOTFS}/usr/bin/<my_application>
}
ROOTFS_POSTPROCESS_COMMAND += "set_cap; "
Best regards,
Markus
Glad to see you got this working, and thank you for sharing your solution.