The permissions for performing a hypercall from a rich guest app, appear to be linked to the permissions of /dev/uhcallkmod. Which initially has the permissions of crw------- root.
Is there a recommended permission to give this device to allow users/guest apps to perform hypercalls?
You should be able to set the group of the device to the group of the user and set the group permissions to read/write.
Of course, this only applies to the ARM/rpi3 version of uberXMHF.
OK, thanks! However, there still seems to be an issue. Changing the owner/permissions of
/dev/uhcallkmod allows for the hypercall to succeed when called from a non-root user. However, there is an issue with the data being returned.
For example, when running
uhcalltest, when calling the function as non-root, the hypercall succeeds, but there is no data in the
out buffer. Everything works as it did previously when called as the root user (i.e. the out buffer matches the in buffer).
As I looked into this further. A part of the limitation of hypercalls only being allowed for root users, is how libuhcall performs the va2pa operation. Reading from
/proc/self/pagemap requires the user to have
CAP_SYS_ADMIN capabilities. https://unix.stackexchange.com/questions/345915/how-to-change-permission-of-proc-self-pagemap-file/383838#383838
However, simply adding these capabilities to the hypercall process (e.g.,
setcap cap_sys_admin+ep uhcalltest) still results the hypercall not succeeding. When testing a simple function to read
/proc/self/pagemap I receive a permission denied error for opening
Currently, hypcalls requires root privileges to access
/proc/* for translating the virtual address to a physical address.
Converting this to a page table walk within the kernel driver allows for libuhcall to pass the user space virtual address, and the kernel driver to convert this to a physical address used by the
hvc call. Thereby allowing any user with write access to
/dev/uhcallkmod the ability to make a hypercall
Fantastic stuff @Cap! This is very useful
I have moved this post to the appropriate category/post and will create a task thread and pin down your pull request there for further discussions.
Thanks! This does help this thread come full circle.