[PATCH 0/1] qemu_tpm: Get swtpm pid without binary validation

Vasiliy Ulyanov <vulyanov@xxxxxxx> · Mon, 3 Jan 2022 08:56:28 +0100

Hi all and Happy New Year!

My name is Vasiliy, I am an engineer at SUSE. I was playing around with TPM in
libvirt and trying to enable it in KubeVirt. With the emulator I was always
getting "swtpm failed to start" internal error. After debugging the issue I
found that the problem was not actually with starting the emulator but rather
with retrieving the PID.

The code in libvirt currently verifies that /proc/[pid]/exe points to the
correct swtpm binary. In my case an attempt to dereference the symlink from
procfs always resulted in EACCES. Eventually I found this issue [1].

It appears that libvirt needs CAP_SYS_PTRACE otherwise it will not be able to
access the exe link (even if run as root). This can also be observed with the
following reproducer:

    $ docker run -it --rm --security-opt apparmor:unconfined --security-opt seccomp:unconfined busybox
    / # adduser -D test
    / # su - test
    ~ $ sleep infinity &
    ~ $ exit
    / # stat /proc/$(pidof sleep)/exe
      File: stat: /proc/10/exe: cannot read link: Permission denied

      Size: 0         	Blocks: 0          IO Block: 1024   symbolic link
    Device: 6eh/110d	Inode: 187271      Links: 1
    Access: (0777/lrwxrwxrwx)  Uid: ( 1000/    test)   Gid: ( 1000/    test)
    Access: 2022-01-03 06:52:39.480790247 +0000
    Modify: 2022-01-03 06:52:39.480790247 +0000
    Change: 2022-01-03 06:52:39.480790247 +0000

    $ docker run -it --rm --security-opt apparmor:unconfined --security-opt seccomp:unconfined --cap-add sys_ptrace busybox
    / # adduser -D test
    / # su - test
    ~ $ sleep infinity &
    ~ $ exit
    / # stat /proc/$(pidof sleep)/exe
      File: '/proc/10/exe' -> '/bin/sleep'
      Size: 0         	Blocks: 0          IO Block: 1024   symbolic link
    Device: 6eh/110d	Inode: 195011      Links: 1
    Access: (0777/lrwxrwxrwx)  Uid: ( 1000/    test)   Gid: ( 1000/    test)
    Access: 2022-01-03 07:13:28.003224653 +0000
    Modify: 2022-01-03 07:13:28.003224653 +0000
    Change: 2022-01-03 07:13:28.003224653 +0000

I tried to adapt the function that retrieves swtpm PID so it also covers the
usecase when libvirt is run in a container without ptrace capability. The patch
solved the issue for me and I verified that the error is no more reproducible.
So I wanted to propose that solution to handle the issue. Or maybe someone can
suggest a better alternative which would be more suitable? Would appreciate any
feedback. Thanks.

[1] https://github.com/moby/moby/issues/40713

Vasiliy Ulyanov (1):
  qemu_tpm: Get swtpm pid without binary validation

 src/qemu/qemu_tpm.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

-- 
2.34.1