1QEMU 9p virtfs proxy filesystem helper
2======================================
3
4Synopsis
5--------
6
7**virtfs-proxy-helper** [*OPTIONS*]
8
9Description
10-----------
11
12NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
13removed, along with this daemon, in a future version of QEMU!
14
15Pass-through security model in QEMU 9p server needs root privilege to do
16few file operations (like chown, chmod to any mode/uid:gid).  There are two
17issues in pass-through security model:
18
19- TOCTTOU vulnerability: Following symbolic links in the server could
20  provide access to files beyond 9p export path.
21
22- Running QEMU with root privilege could be a security issue.
23
24To overcome above issues, following approach is used: A new filesystem
25type 'proxy' is introduced. Proxy FS uses chroot + socket combination
26for securing the vulnerability known with following symbolic links.
27Intention of adding a new filesystem type is to allow qemu to run
28in non-root mode, but doing privileged operations using socket IO.
29
30Proxy helper (a stand alone binary part of qemu) is invoked with
31root privileges. Proxy helper chroots into 9p export path and creates
32a socket pair or a named socket based on the command line parameter.
33QEMU and proxy helper communicate using this socket. QEMU proxy fs
34driver sends filesystem request to proxy helper and receives the
35response from it.
36
37The proxy helper is designed so that it can drop root privileges except
38for the capabilities needed for doing filesystem operations.
39
40Options
41-------
42
43The following options are supported:
44
45.. program:: virtfs-proxy-helper
46
47.. option:: -h
48
49  Display help and exit
50
51.. option:: -p, --path PATH
52
53  Path to export for proxy filesystem driver
54
55.. option:: -f, --fd SOCKET_ID
56
57  Use given file descriptor as socket descriptor for communicating with
58  qemu proxy fs drier. Usually a helper like libvirt will create
59  socketpair and pass one of the fds as parameter to this option.
60
61.. option:: -s, --socket SOCKET_FILE
62
63  Creates named socket file for communicating with qemu proxy fs driver
64
65.. option:: -u, --uid UID
66
67  uid to give access to named socket file; used in combination with -g.
68
69.. option:: -g, --gid GID
70
71  gid to give access to named socket file; used in combination with -u.
72
73.. option:: -n, --nodaemon
74
75  Run as a normal program. By default program will run in daemon mode
76