Access to /proc/[pid]/exe may be restricted in certain environments (e.g.
in containers) and any attempt to stat(2) or readlink(2) the file will
result in 'permission denied' error if the calling process does not have
CAP_SYS_PTRACE capability. According to proc(5) manpage:
Permission to dereference or read (readlink(2)) this symbolic link is
governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see
ptrace(2).
If the first call to virPidFileReadPathIfAlive fails with EACCES try to
call it one more time without specifyng swtpm binary path in order to
avoid dereferencing the symlink.
Signed-off-by: Vasiliy Ulyanov <vulyanov@xxxxxxx>
---
src/qemu/qemu_tpm.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c
index 7e7b01768e..9c80e15e9b 100644
--- a/src/qemu/qemu_tpm.c
+++ b/src/qemu/qemu_tpm.c
@@ -261,10 +261,17 @@ qemuTPMEmulatorGetPid(const char *swtpmStateDir,
g_autofree char *swtpm = virTPMGetSwtpm();
g_autofree char *pidfile = qemuTPMEmulatorCreatePidFilename(swtpmStateDir,
shortName);
+ int rc;
+
if (!pidfile)
return -1;
- if (virPidFileReadPathIfAlive(pidfile, pid, swtpm) < 0)
+ rc = virPidFileReadPathIfAlive(pidfile, pid, swtpm);
+ /* If access to /proc/[pid]/exe is restricted then skip the validation of
+ * swtpm binary. */
+ if (rc < 0 && virLastErrorIsSystemErrno(EACCES))
+ rc = virPidFileReadPathIfAlive(pidfile, pid, NULL);
+ if (rc < 0)
return -1;
return 0;
--
2.34.1
