Permissions for performing a hypercall

The permissions for performing a hypercall from a rich guest app, appear to be linked to the permissions of /dev/uhcallkmod. Which initially has the permissions of crw------- root.

Is there a recommended permission to give this device to allow users/guest apps to perform hypercalls?

You should be able to set the group of the device to the group of the user and set the group permissions to read/write.

Of course, this only applies to the ARM/rpi3 version of uberXMHF.

OK, thanks! However, there still seems to be an issue. Changing the owner/permissions of /dev/uhcallkmod allows for the hypercall to succeed when called from a non-root user. However, there is an issue with the data being returned.

For example, when running uhcalltest, when calling the function as non-root, the hypercall succeeds, but there is no data in the out[] buffer. Everything works as it did previously when called as the root user (i.e. the out buffer matches the in buffer).

As I looked into this further. A part of the limitation of hypercalls only being allowed for root users, is how libuhcall performs the va2pa operation. Reading from /proc/self/pagemap requires the user to have CAP_SYS_ADMIN capabilities.

However, simply adding these capabilities to the hypercall process (e.g., setcap cap_sys_admin+ep uhcalltest) still results the hypercall not succeeding. When testing a simple function to read /proc/self/pagemap I receive a permission denied error for opening /proc/self/pagemap.

Currently, hypcalls requires root privileges to access /proc/* for translating the virtual address to a physical address.

Converting this to a page table walk within the kernel driver allows for libuhcall to pass the user space virtual address, and the kernel driver to convert this to a physical address used by the hvc call. Thereby allowing any user with write access to /dev/uhcallkmod the ability to make a hypercall :smile:

Fantastic stuff @Cap! This is very useful :slight_smile:

I have moved this post to the appropriate category/post and will create a task thread and pin down your pull request there for further discussions.

Thanks again!

Thanks! This does help this thread come full circle. :slight_smile: