*** sherbets has joined #automotive | 00:10 | |
*** sherbets has quit IRC | 00:21 | |
*** sherbets has joined #automotive | 01:10 | |
*** sapiippo has quit IRC | 01:24 | |
*** sapiippo has joined #automotive | 01:26 | |
*** sherbets has quit IRC | 01:36 | |
*** AlisonChaiken has quit IRC | 02:26 | |
*** sherbets has joined #automotive | 02:53 | |
*** sherbets has quit IRC | 04:51 | |
*** sherbets has joined #automotive | 04:52 | |
*** AlisonChaiken has joined #automotive | 05:08 | |
*** sherbets has quit IRC | 05:28 | |
*** AlisonChaiken has quit IRC | 05:41 | |
*** AlisonChaiken has joined #automotive | 05:41 | |
*** tgamblin_ has quit IRC | 06:04 | |
*** tgamblin has joined #automotive | 06:22 | |
*** AlisonChaiken has quit IRC | 06:47 | |
*** AlisonChaiken has joined #automotive | 06:50 | |
*** vrubiolo has joined #automotive | 07:23 | |
*** jobol has joined #automotive | 07:27 | |
*** jobol has left #automotive | 07:29 | |
*** jbpons has joined #automotive | 07:34 | |
*** khouloud has quit IRC | 08:07 | |
*** khouloud has joined #automotive | 08:07 | |
*** ric96 has quit IRC | 08:08 | |
*** fury has quit IRC | 08:09 | |
*** ric96 has joined #automotive | 08:10 | |
*** fury has joined #automotive | 08:11 | |
*** vrubiolo has quit IRC | 08:21 | |
*** Newami has joined #automotive | 09:01 | |
*** Newami has quit IRC | 09:03 | |
*** vrubiolo has joined #automotive | 09:36 | |
*** jbpons has quit IRC | 09:37 | |
*** jbpons has joined #automotive | 09:40 | |
*** leon-anavi has joined #automotive | 09:47 | |
*** AlisonChaiken has quit IRC | 10:55 | |
*** AlisonChaiken has joined #automotive | 10:56 | |
*** vrubiolo has quit IRC | 11:30 | |
*** vrubiolo has joined #automotive | 12:50 | |
*** sherbets has joined #automotive | 13:29 | |
*** sherbets has quit IRC | 13:49 | |
*** sherbets has joined #automotive | 15:30 | |
*** bernardoaraujo_ has joined #automotive | 16:02 | |
*** walzert has joined #automotive | 16:26 | |
*** vrubiolo has quit IRC | 16:44 | |
*** jbpons has quit IRC | 16:45 | |
bernardoaraujo_ | hi everyone. I would like some help with AGL filesystem permissions. Here's my scenario: | 16:55 |
---|---|---|
bernardoaraujo_ | I appended agl-users_0.1.bb with the following: | 16:55 |
bernardoaraujo_ | USERADD_PARAM_${PN} += "; -u 1008 -r -g my_group my_user;" | 16:55 |
bernardoaraujo_ | GROUPADD_PARAM_${PN} += "; -g 1008 my_group;" | 16:55 |
bernardoaraujo_ | do_install () { | 16:55 |
bernardoaraujo_ | install -d -m 775 ${D}${localstatedir}/lib/my_app | 16:55 |
bernardoaraujo_ | chgrp -R my_group ${D}${localstatedir}/lib/my_app | 16:55 |
bernardoaraujo_ | } | 16:55 |
bernardoaraujo_ | When I try to write to /var/lib/my_app as my_user I keep getting "Permission denied". | 16:55 |
bernardoaraujo_ | I wonder if that's related to some security feature of the filesystem? | 16:55 |
*** sherbets has quit IRC | 17:02 | |
*** sherbets has joined #automotive | 17:08 | |
dl9pf | bernardoaraujo_: AGL uses SMACK, so user/group is not the only level of permissions. | 17:12 |
bernardoaraujo_ | dl9pf: thanks for your response. What are the other permission settings that I should set up on the SMACK scheme? | 17:13 |
dl9pf | you you expect my_app to run in the UI ? | 17:16 |
dl9pf | initially, you can widen permissions with 'chsmack'. | 17:17 |
dl9pf | But you'll have to make your app an AGL wgt and install it as such. | 17:17 |
dl9pf | E.g. check out the current dashboard or hvac as examples. | 17:18 |
dl9pf | They're in our git and you can learn how they work from there. | 17:18 |
bernardoaraujo_ | no, it's just a systemd service | 17:18 |
bernardoaraujo_ | that writes into /var/lib/my_app as my_user | 17:19 |
dl9pf | ah ok | 17:19 |
bernardoaraujo_ | are those steps necessary in this case as well? | 17:21 |
dl9pf | then try 'chsmack -a "*" /var/lib/my_app' | 17:23 |
dl9pf | after that check dmesg for 'audit' message which tell you what was denied. | 17:23 |
*** khem has quit IRC | 17:23 | |
dl9pf | wrt smack check out: https://www.kernel.org/doc/html/v4.15/admin-guide/LSM/Smack.html#access-rules | 17:23 |
*** khem has joined #automotive | 17:36 | |
*** klaas has quit IRC | 17:54 | |
bernardoaraujo_ | chsmack seems to have worked! thanks! | 18:07 |
bernardoaraujo_ | how to enforce that at build time? is there any recipes I can append for this purpose? | 18:07 |
*** amalek has joined #automotive | 18:47 | |
bernardoaraujo_ | I appended this to agl-users_0.1.bb as well (after do_install)... maybe not the cleanest solution, but it works | 19:09 |
bernardoaraujo_ | pkg_postinst_ontarget_${PN}() { | 19:09 |
bernardoaraujo_ | chsmack -a "*" /var/lib/my_app | 19:09 |
bernardoaraujo_ | } | 19:09 |
*** sherbets has quit IRC | 19:35 | |
*** walzert has quit IRC | 20:04 | |
smurray | bernardoaraujo_: what does "my_app" do, exactly? If it's some type of daemon that's always going to be in the image, just add the user to the static user list and bake it in, none of this would be required | 20:18 |
bernardoaraujo_ | smurray: yes it's a daemon... do you mean meta-agl/meta-agl-profile-core/files/passwd? I was already adding my_user to that list, but I was still getting Permission denied | 20:20 |
smurray | bernardoaraujo_: do you create the directory under /var/lib in your recipe? If you do, I'd expect it to end up in the image with the right user and permissions | 20:23 |
smurray | bernardoaraujo_: if you don't and "my_app" tries to create it at runtime, it would be my expectation that would fail | 20:23 |
bernardoaraujo_ | yes, I've done this process on my own Poky-based distro without problems... this permission issue happened on AGL specifically, and manually running chsmack fixed it | 20:25 |
*** sherbets has joined #automotive | 21:51 | |
*** Newami has joined #automotive | 23:08 | |
*** psnsilva has joined #automotive | 23:09 | |
*** leon-anavi has quit IRC | 23:20 | |
*** psnsilva has quit IRC | 23:41 |
Generated by irclog2html.py 2.15.3 by Marius Gedminas - find it at mg.pov.lt!