1QEMU 9p virtfs proxy filesystem helper 2====================================== 3 4Synopsis 5-------- 6 7**virtfs-proxy-helper** [*OPTIONS*] 8 9Description 10----------- 11 12Pass-through security model in QEMU 9p server needs root privilege to do 13few file operations (like chown, chmod to any mode/uid:gid). There are two 14issues in pass-through security model: 15 16- TOCTTOU vulnerability: Following symbolic links in the server could 17 provide access to files beyond 9p export path. 18 19- Running QEMU with root privilege could be a security issue. 20 21To overcome above issues, following approach is used: A new filesystem 22type 'proxy' is introduced. Proxy FS uses chroot + socket combination 23for securing the vulnerability known with following symbolic links. 24Intention of adding a new filesystem type is to allow qemu to run 25in non-root mode, but doing privileged operations using socket IO. 26 27Proxy helper (a stand alone binary part of qemu) is invoked with 28root privileges. Proxy helper chroots into 9p export path and creates 29a socket pair or a named socket based on the command line parameter. 30QEMU and proxy helper communicate using this socket. QEMU proxy fs 31driver sends filesystem request to proxy helper and receives the 32response from it. 33 34The proxy helper is designed so that it can drop root privileges except 35for the capabilities needed for doing filesystem operations. 36 37Options 38------- 39 40The following options are supported: 41 42.. program:: virtfs-proxy-helper 43 44.. option:: -h 45 46 Display help and exit 47 48.. option:: -p, --path PATH 49 50 Path to export for proxy filesystem driver 51 52.. option:: -f, --fd SOCKET_ID 53 54 Use given file descriptor as socket descriptor for communicating with 55 qemu proxy fs drier. Usually a helper like libvirt will create 56 socketpair and pass one of the fds as parameter to this option. 57 58.. option:: -s, --socket SOCKET_FILE 59 60 Creates named socket file for communicating with qemu proxy fs driver 61 62.. option:: -u, --uid UID 63 64 uid to give access to named socket file; used in combination with -g. 65 66.. option:: -g, --gid GID 67 68 gid to give access to named socket file; used in combination with -u. 69 70.. option:: -n, --nodaemon 71 72 Run as a normal program. By default program will run in daemon mode 73