1QEMU 9p virtfs proxy filesystem helper 2====================================== 3 4Synopsis 5-------- 6 7**virtfs-proxy-helper** [*OPTIONS*] 8 9Description 10----------- 11 12NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be 13removed, along with this daemon, in a future version of QEMU! 14 15Pass-through security model in QEMU 9p server needs root privilege to do 16few file operations (like chown, chmod to any mode/uid:gid). There are two 17issues in pass-through security model: 18 19- TOCTTOU vulnerability: Following symbolic links in the server could 20 provide access to files beyond 9p export path. 21 22- Running QEMU with root privilege could be a security issue. 23 24To overcome above issues, following approach is used: A new filesystem 25type 'proxy' is introduced. Proxy FS uses chroot + socket combination 26for securing the vulnerability known with following symbolic links. 27Intention of adding a new filesystem type is to allow qemu to run 28in non-root mode, but doing privileged operations using socket IO. 29 30Proxy helper (a stand alone binary part of qemu) is invoked with 31root privileges. Proxy helper chroots into 9p export path and creates 32a socket pair or a named socket based on the command line parameter. 33QEMU and proxy helper communicate using this socket. QEMU proxy fs 34driver sends filesystem request to proxy helper and receives the 35response from it. 36 37The proxy helper is designed so that it can drop root privileges except 38for the capabilities needed for doing filesystem operations. 39 40Options 41------- 42 43The following options are supported: 44 45.. program:: virtfs-proxy-helper 46 47.. option:: -h 48 49 Display help and exit 50 51.. option:: -p, --path PATH 52 53 Path to export for proxy filesystem driver 54 55.. option:: -f, --fd SOCKET_ID 56 57 Use given file descriptor as socket descriptor for communicating with 58 qemu proxy fs drier. Usually a helper like libvirt will create 59 socketpair and pass one of the fds as parameter to this option. 60 61.. option:: -s, --socket SOCKET_FILE 62 63 Creates named socket file for communicating with qemu proxy fs driver 64 65.. option:: -u, --uid UID 66 67 uid to give access to named socket file; used in combination with -g. 68 69.. option:: -g, --gid GID 70 71 gid to give access to named socket file; used in combination with -u. 72 73.. option:: -n, --nodaemon 74 75 Run as a normal program. By default program will run in daemon mode 76