Using libbcm2835 without being root

[Doug McFadyen]

I have been experimenting with different apps that need access to /dev/mem, but I wanted to run these apps without being sudo all the time.

Here's my basic setup steps to make this happen:  https://www.raspberrypi.org/forums/viewtopic.php?f=29&t=52393&p=1639923#p1639923

TL;DR

1. install libcap2

2. add user to kmem group

3. create udev rule to allow read/write access to /dev/mem by kmem group members

4. compile application then set its capability to cap_sys_rawio

I have attached a patch I made to bcm2835 that allows it to work without being root, as long as the above steps are performed once.  This current patch does NOT change the library's behavior in that it will not try to access /dev/mem unless you are root or the rawio capability is set.  See below for another way to handle this.

A slight downside to my current approach is that any app that brings in the bcm2835 library needs to link with -lcap and also needs libcap-dev installed.

A perhaps "cleaner" solution would be for the bcm2835 library to NOT fail/exit if it can't open /dev/mem - it could treat this situation as the same as not being root.  Therefore, /dev/mem can be opened by either running the app as root OR setting its capability to cap_sys_rawio.  If this change was made then the bcm2835 code doesn't need to test the capability flag and then wouldn't need to be linked with -lcap and libcap-dev would not be required.

To set an app to have the rawio capability, this needs to be run once, after the app has been compiled:

sudo setcap cap_sys_rawio+ep myappname

Once this is done, you can run the app without being sudo and bcm2835 will be able to access /dev/mem.

[Mike McCauley]

Hello Doug,

thanks for your thoughtful remarks and patch.

I am reluctant to add a new dependency for all users and perhaps break
existing code/builds. So I have added your patch (slightly modified) but only
enabled when BCM2835_HAVE_LIBCAP is #defined

New version 1.65 has been uploaded for you to test.

Cheers.

> sudo setcap cap_sys_rawio+ep *myappname*

>
>
> Once this is done, you can run the app without being sudo and bcm2835 will
> be able to access /dev/mem.

--
Mike McCauley VK4AMM mi...@airspayce.com
Airspayce Pty Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia
http://www.airspayce.com 5R3MRFM2+X6
Phone +61 7 5598-7474

[Doug McFadyen]

On Tuesday, April 14, 2020 at 11:51:03 PM UTC-7, Mike McCauley wrote:

I am reluctant to add a new dependency for all users and perhaps break
existing code/builds. So I have added your patch (slightly modified) but only
enabled when  BCM2835_HAVE_LIBCAP is #defined

New version 1.65 has been uploaded for you to test.

Hi Mike,

I agree a new dependency will probably break stuff - good call!

I checked the 1.65 release, I think the second #ifdef BCM2835_HAVE_LIBCAP2 should be #ifdef BCM2835_HAVE_LIBCAP (no 2 at the end).

Also, if anyone is interested in using this, it might be worthwhile to put the prerequisite steps in the header file for the next 1.65+ release.  Somthing like:

// One-time steps needed to support libcap and not-root read/write access to /dev/mem.

// 1. Install libcap support

//    sudo apt-get install libcap2 libcap-dev

// 2. Add current user to kmem group

//    sudo adduser $USER kmem

// 3. Allow write access to /dev/mem by members of kmem group

//    echo 'SUBSYSTEM=="mem", KERNEL=="mem", GROUP="kmem", MODE="0660"' | sudo tee /etc/udev/rules.d/98-mem.rules

//    sudo reboot

Best regards,

Doug.

[Mike McCauley]

Thanks Doug,

You are correct on both counts, new version 1.66 uploaded with credit to you.

Cheers.