Here is a minimal excerpt from my recipe.
fakeroot label_sign_verity() {
...
SETFATTR=${TMPDIR}/sysroots-components/$(uname -m)/attr-native/usr/bin/setfattr
echo $(whoami) #prints root because fakeroot
echo ${USER} #prints my username
echo $(ls -l ${IMAGEDIR}/Image) # -rw-r--r-- 1 1000 1000 (Thats my username uid)
echo ${FAKEROOTCMD} ${SETFATTR} -n security.ima -v 0x${IMA_HEADER_DATA} ${IMAGEDIR}/Image
${SETFATTR} -n security.ima -v 0x${IMA_HEADER_DATA} ${IMAGEDIR}/Image #fails with Operation not permitted.
...
}
While I'm in my bitbake environment, I can copy paste the output of the line before the failing command (identical except it has the pseudo prefix) and it works.
Why does it succeed in my bb environment but not in my recipe?