[PATCH 1/1] qemu_tpm: Get swtpm pid without binary validation

Access to /proc/[pid]/exe may be restricted in certain environments (e.g. in containers) and any attempt to stat(2) or readlink(2) the file will result in 'permission denied' error if the calling process does not have CAP_SYS_PTRACE capability. According to proc(5) manpage: Permission to dereference or read (readlink(2)) this symbolic link is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2). If the first call to virPidFileReadPathIfAlive fails with EACCES try to call it one more time without specifyng swtpm binary path in order to avoid dereferencing the symlink. Signed-off-by: Vasiliy Ulyanov <vulyanov(a)suse.de&gt; --- src/qemu/qemu_tpm.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 7e7b01768e..9c80e15e9b 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -261,10 +261,17 @@ qemuTPMEmulatorGetPid(const char *swtpmStateDir, g_autofree char *swtpm = virTPMGetSwtpm(); g_autofree char *pidfile = qemuTPMEmulatorCreatePidFilename(swtpmStateDir, shortName); + int rc; + if (!pidfile) return -1; - if (virPidFileReadPathIfAlive(pidfile, pid, swtpm) < 0) + rc = virPidFileReadPathIfAlive(pidfile, pid, swtpm); + /* If access to /proc/[pid]/exe is restricted then skip the validation of + * swtpm binary. */ + if (rc < 0 && virLastErrorIsSystemErrno(EACCES)) + rc = virPidFileReadPathIfAlive(pidfile, pid, NULL); + if (rc < 0) return -1; return 0; -- 2.34.1