[PATCH 0/1] qemu_tpm: Get swtpm pid without binary validation

Hi all and Happy New Year! My name is Vasiliy, I am an engineer at SUSE. I was playing around with TPM in libvirt and trying to enable it in KubeVirt. With the emulator I was always getting "swtpm failed to start" internal error. After debugging the issue I found that the problem was not actually with starting the emulator but rather with retrieving the PID. The code in libvirt currently verifies that /proc/[pid]/exe points to the correct swtpm binary. In my case an attempt to dereference the symlink from procfs always resulted in EACCES. Eventually I found this issue [1]. It appears that libvirt needs CAP_SYS_PTRACE otherwise it will not be able to access the exe link (even if run as root). This can also be observed with the following reproducer: $ docker run -it --rm --security-opt apparmor:unconfined --security-opt seccomp:unconfined busybox / # adduser -D test / # su - test ~ $ sleep infinity & ~ $ exit / # stat /proc/$(pidof sleep)/exe File: stat: /proc/10/exe: cannot read link: Permission denied Size: 0 Blocks: 0 IO Block: 1024 symbolic link Device: 6eh/110d Inode: 187271 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 1000/ test) Gid: ( 1000/ test) Access: 2022-01-03 06:52:39.480790247 +0000 Modify: 2022-01-03 06:52:39.480790247 +0000 Change: 2022-01-03 06:52:39.480790247 +0000 $ docker run -it --rm --security-opt apparmor:unconfined --security-opt seccomp:unconfined --cap-add sys_ptrace busybox / # adduser -D test / # su - test ~ $ sleep infinity & ~ $ exit / # stat /proc/$(pidof sleep)/exe File: '/proc/10/exe' -> '/bin/sleep' Size: 0 Blocks: 0 IO Block: 1024 symbolic link Device: 6eh/110d Inode: 195011 Links: 1 Access: (0777/lrwxrwxrwx) Uid: ( 1000/ test) Gid: ( 1000/ test) Access: 2022-01-03 07:13:28.003224653 +0000 Modify: 2022-01-03 07:13:28.003224653 +0000 Change: 2022-01-03 07:13:28.003224653 +0000 I tried to adapt the function that retrieves swtpm PID so it also covers the usecase when libvirt is run in a container without ptrace capability. The patch solved the issue for me and I verified that the error is no more reproducible. So I wanted to propose that solution to handle the issue. Or maybe someone can suggest a better alternative which would be more suitable? Would appreciate any feedback. Thanks. [1] https://github.com/moby/moby/issues/40713 Vasiliy Ulyanov (1): qemu_tpm: Get swtpm pid without binary validation src/qemu/qemu_tpm.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) -- 2.34.1