Search code examples
iommapmemory-mappinglinux-capabilities

Permission denied for mmap /dev/mem, even with CAP_SYS_RAWIO, but works as root


we have an x86 mainboard, which has some GPIOs that are accessible using MMIO (memory-mapped input/output). The I/O region is located at address 0xfd6d0680 and following (only one page).

The program works fine when executed as root (with sudo). But the call to mmap() fails when executing it as a normal user. This is expected in the normal case, but as far as I understand, it should work when the executable is given the CAP_SYS_RAWIO capability:

$ ./ipc_gpio out=0
Read board name: 'MX370QD'
ERROR: open '/dev/mem' failed: Permission denied (13)
$ sudo setcap CAP_SYS_RAWIO+ep ipc_gpio
$ ./ipc_gpio out=0
Read board name: 'MX370QD'
ERROR: open '/dev/mem' failed: Permission denied (13)
$ sudo ./ipc_gpio out=0
Read board name: 'MX370QD'

$ getcap ipc_gpio
ipc_gpio = cap_sys_rawio+ep

Are there other restrictions in place for this address region? Or is another capability required for this purpose? I suppose that making the executable setuid root (or maybe setgid kmem) would work, but from a security point of view, I'd rather avoid going that far.

Thank you!

Best regards, Philipp


Solution

  • CAP_SYS_RAWIO isn't all you need to access /dev/mem; its regular file permissions apply too. You also need either:

    • setgid kmem
    • change the permissions or set file ACLs on /dev/mem.
    • CAP_DAC_READ_SEARCH (if you just want to read and not write), or
    • CAP_DAC_OVERRIDE