From nobody Mon Feb 9 16:02:27 2026 Delivered-To: importer@patchew.org Received-SPF: pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) client-ip=170.10.129.124; envelope-from=libvir-list-bounces@redhat.com; helo=us-smtp-delivery-124.mimecast.com; Authentication-Results: mx.zohomail.com; spf=pass (zohomail.com: domain of redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=libvir-list-bounces@redhat.com; dmarc=fail(p=none dis=none) header.from=suse.de Return-Path: Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by mx.zohomail.com with SMTPS id 1643819352913706.9155116659875; Wed, 2 Feb 2022 08:29:12 -0800 (PST) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-169-ABHg1TJhM2iMjR3zW8Idpg-1; Wed, 02 Feb 2022 11:29:08 -0500 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 26CF21006AA9; Wed, 2 Feb 2022 16:29:02 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 08C767D48A; Wed, 2 Feb 2022 16:29:02 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CEEB21809CBF; Wed, 2 Feb 2022 16:29:01 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 212GSqce021960 for ; Wed, 2 Feb 2022 11:28:52 -0500 Received: by smtp.corp.redhat.com (Postfix) id 57767406791; Wed, 2 Feb 2022 16:28:52 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 53A42401E9D for ; Wed, 2 Feb 2022 16:28:52 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 38537185A79C for ; Wed, 2 Feb 2022 16:28:52 +0000 (UTC) Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-161-KfcYTkWcPnSNnVnG2vbD8A-1; Wed, 02 Feb 2022 11:28:50 -0500 Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id 92FA31F37C for ; Wed, 2 Feb 2022 16:28:49 +0000 (UTC) Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 7661B13E99 for ; Wed, 2 Feb 2022 16:28:49 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id mJszG0Gx+mHVMgAAMHmgww (envelope-from ) for ; Wed, 02 Feb 2022 16:28:49 +0000 X-MC-Unique: ABHg1TJhM2iMjR3zW8Idpg-1 X-MC-Unique: KfcYTkWcPnSNnVnG2vbD8A-1 From: Vasiliy Ulyanov To: libvir-list@redhat.com Subject: [PATCH v3 2/3] qemu: tpm: Get swtpm pid without binary validation Date: Wed, 2 Feb 2022 17:28:16 +0100 Message-Id: <20220202162817.16258-3-vulyanov@suse.de> In-Reply-To: <20220202162817.16258-1-vulyanov@suse.de> References: <20220202162817.16258-1-vulyanov@suse.de> MIME-Version: 1.0 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 X-MIME-Autoconverted: from quoted-printable to 8bit by lists01.pubmisc.prod.ext.phx2.redhat.com id 212GSqce021960 X-loop: libvir-list@redhat.com X-BeenThere: libvir-list@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Development discussions about the libvirt library & tools List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: libvir-list-bounces@redhat.com Errors-To: libvir-list-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=libvir-list-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Transfer-Encoding: quoted-printable X-ZM-MESSAGEID: 1643819354466100001 Content-Type: text/plain; charset="utf-8" Access to /proc/[pid]/exe may be restricted in certain environments (e.g. in containers) and any attempt to stat(2) or readlink(2) the file will result in 'permission denied' error if the calling process does not have CAP_SYS_PTRACE capability. According to proc(5) manpage: Permission to dereference or read (readlink(2)) this symbolic link is governed by a ptrace access mode PTRACE_MODE_READ_FSCREDS check; see ptrace(2). The binary validation in virPidFileReadPathIfAlive may fail with EACCES. Therefore instead do only the check that the pidfile is locked by the correct process. To ensure this is always the case the daemonization and pidfile handling of the swtpm command is now controlled by libvirt. Signed-off-by: Vasiliy Ulyanov --- src/qemu/qemu_tpm.c | 40 +++++++++++++++++++++++++--------------- 1 file changed, 25 insertions(+), 15 deletions(-) diff --git a/src/qemu/qemu_tpm.c b/src/qemu/qemu_tpm.c index 7e7b01768e..47c7891a4f 100644 --- a/src/qemu/qemu_tpm.c +++ b/src/qemu/qemu_tpm.c @@ -258,13 +258,13 @@ qemuTPMEmulatorGetPid(const char *swtpmStateDir, const char *shortName, pid_t *pid) { - g_autofree char *swtpm =3D virTPMGetSwtpm(); g_autofree char *pidfile =3D qemuTPMEmulatorCreatePidFilename(swtpmSta= teDir, shortName); + if (!pidfile) return -1; =20 - if (virPidFileReadPathIfAlive(pidfile, pid, swtpm) < 0) + if (virPidFileReadPathIfLocked(pidfile, pid) < 0) return -1; =20 return 0; @@ -721,7 +721,7 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, =20 virCommandClearCaps(cmd); =20 - virCommandAddArgList(cmd, "socket", "--daemon", "--ctrl", NULL); + virCommandAddArgList(cmd, "socket", "--ctrl", NULL); virCommandAddArgFormat(cmd, "type=3Dunixio,path=3D%s,mode=3D0600", tpm->data.emulator.source->data.nix.path); =20 @@ -751,8 +751,8 @@ qemuTPMEmulatorBuildCommand(virDomainTPMDef *tpm, if (!(pidfile =3D qemuTPMEmulatorCreatePidFilename(swtpmStateDir, shor= tName))) goto error; =20 - virCommandAddArg(cmd, "--pid"); - virCommandAddArgFormat(cmd, "file=3D%s", pidfile); + virCommandSetPidFile(cmd, pidfile); + virCommandDaemonize(cmd); =20 if (tpm->data.emulator.hassecretuuid) { if (!virTPMSwtpmCapsGet(VIR_TPM_SWTPM_FEATURE_CMDARG_PWD_FD)) { @@ -905,7 +905,7 @@ qemuExtTPMStartEmulator(virQEMUDriver *driver, { g_autoptr(virCommand) cmd =3D NULL; int exitstatus =3D 0; - g_autofree char *errbuf =3D NULL; + VIR_AUTOCLOSE errfd =3D -1; g_autoptr(virQEMUDriverConfig) cfg =3D NULL; g_autofree char *shortName =3D virDomainDefGetShortName(vm->def); int cmdret =3D 0, timeout, rc; @@ -930,7 +930,7 @@ qemuExtTPMStartEmulator(virQEMUDriver *driver, if (qemuExtDeviceLogCommand(driver, vm, cmd, "TPM Emulator") < 0) return -1; =20 - virCommandSetErrorBuffer(cmd, &errbuf); + virCommandSetErrorFD(cmd, &errfd); =20 if (qemuSecurityStartTPMEmulator(driver, vm, cmd, cfg->swtpm_user, cfg->swtpm_group, @@ -938,23 +938,33 @@ qemuExtTPMStartEmulator(virQEMUDriver *driver, return -1; =20 if (cmdret < 0 || exitstatus !=3D 0) { - virReportError(VIR_ERR_INTERNAL_ERROR, - _("Could not start 'swtpm'. exitstatus: %d, " - "error: %s"), exitstatus, errbuf); + char errbuf[1024] =3D { 0 }; + + if (saferead(errfd, errbuf, sizeof(errbuf) - 1) < 0) { + virReportSystemError(errno, + _("Could not start 'swtpm'. exitstatus: %= d"), + exitstatus); + } else { + virReportError(VIR_ERR_INTERNAL_ERROR, + _("Could not start 'swtpm'. exitstatus: %d, " + "error: %s"), exitstatus, errbuf); + } + return -1; } =20 - /* check that the swtpm has written its pid into the file */ + /* check that the swtpm has written its pid into the file and the cont= rol + * socket has been created. */ + rc =3D qemuTPMEmulatorGetPid(cfg->swtpmStateDir, shortName, &pid); + if ((rc =3D=3D 0 && pid =3D=3D (pid_t)-1) || rc < 0) + goto error; timeout =3D 1000; /* ms */ while (timeout > 0) { - rc =3D qemuTPMEmulatorGetPid(cfg->swtpmStateDir, shortName, &pid); - if (rc < 0) { + if (!virFileExists(tpm->data.emulator.source->data.nix.path)) { timeout -=3D 50; g_usleep(50 * 1000); continue; } - if (rc =3D=3D 0 && pid =3D=3D (pid_t)-1) - goto error; break; } if (timeout <=3D 0) --=20 2.34.1