Hi all and Happy New Year!
My name is Vasiliy, I am an engineer at SUSE. I was playing around with TPM in
libvirt and trying to enable it in KubeVirt. With the emulator I was always
getting "swtpm failed to start" internal error. After debugging the issue I
found that the problem was not actually with starting the emulator but rather
with retrieving the PID.
The code in libvirt currently verifies that /proc/[pid]/exe points to the
correct swtpm binary. In my case an attempt to dereference the symlink from
procfs always resulted in EACCES. Eventually I found this issue [1].
It appears that libvirt needs CAP_SYS_PTRACE otherwise it will not be able to
access the exe link (even if run as root). This can also be observed with the
following reproducer:
$ docker run -it --rm --security-opt apparmor:unconfined --security-opt
seccomp:unconfined busybox
/ # adduser -D test
/ # su - test
~ $ sleep infinity &
~ $ exit
/ # stat /proc/$(pidof sleep)/exe
File: stat: /proc/10/exe: cannot read link: Permission denied
Size: 0 Blocks: 0 IO Block: 1024 symbolic link
Device: 6eh/110d Inode: 187271 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 1000/ test) Gid: ( 1000/ test)
Access: 2022-01-03 06:52:39.480790247 +0000
Modify: 2022-01-03 06:52:39.480790247 +0000
Change: 2022-01-03 06:52:39.480790247 +0000
$ docker run -it --rm --security-opt apparmor:unconfined --security-opt
seccomp:unconfined --cap-add sys_ptrace busybox
/ # adduser -D test
/ # su - test
~ $ sleep infinity &
~ $ exit
/ # stat /proc/$(pidof sleep)/exe
File: '/proc/10/exe' -> '/bin/sleep'
Size: 0 Blocks: 0 IO Block: 1024 symbolic link
Device: 6eh/110d Inode: 195011 Links: 1
Access: (0777/lrwxrwxrwx) Uid: ( 1000/ test) Gid: ( 1000/ test)
Access: 2022-01-03 07:13:28.003224653 +0000
Modify: 2022-01-03 07:13:28.003224653 +0000
Change: 2022-01-03 07:13:28.003224653 +0000
I tried to adapt the function that retrieves swtpm PID so it also covers the
usecase when libvirt is run in a container without ptrace capability. The patch
solved the issue for me and I verified that the error is no more reproducible.
So I wanted to propose that solution to handle the issue. Or maybe someone can
suggest a better alternative which would be more suitable? Would appreciate any
feedback. Thanks.
[1]
https://github.com/moby/moby/issues/40713
Vasiliy Ulyanov (1):
qemu_tpm: Get swtpm pid without binary validation
src/qemu/qemu_tpm.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--
2.34.1