1a08b4a9fSPeter MaydellQEMU 9p virtfs proxy filesystem helper 2a08b4a9fSPeter Maydell====================================== 3a08b4a9fSPeter Maydell 4a08b4a9fSPeter MaydellSynopsis 5a08b4a9fSPeter Maydell-------- 6a08b4a9fSPeter Maydell 7a08b4a9fSPeter Maydell**virtfs-proxy-helper** [*OPTIONS*] 8a08b4a9fSPeter Maydell 9a08b4a9fSPeter MaydellDescription 10a08b4a9fSPeter Maydell----------- 11a08b4a9fSPeter Maydell 1271d72eceSChristian SchoenebeckNOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be 1371d72eceSChristian Schoenebeckremoved, along with this daemon, in a future version of QEMU! 1471d72eceSChristian Schoenebeck 15a08b4a9fSPeter MaydellPass-through security model in QEMU 9p server needs root privilege to do 16a08b4a9fSPeter Maydellfew file operations (like chown, chmod to any mode/uid:gid). There are two 17a08b4a9fSPeter Maydellissues in pass-through security model: 18a08b4a9fSPeter Maydell 19a08b4a9fSPeter Maydell- TOCTTOU vulnerability: Following symbolic links in the server could 20a08b4a9fSPeter Maydell provide access to files beyond 9p export path. 21a08b4a9fSPeter Maydell 22a08b4a9fSPeter Maydell- Running QEMU with root privilege could be a security issue. 23a08b4a9fSPeter Maydell 24a08b4a9fSPeter MaydellTo overcome above issues, following approach is used: A new filesystem 25a08b4a9fSPeter Maydelltype 'proxy' is introduced. Proxy FS uses chroot + socket combination 26a08b4a9fSPeter Maydellfor securing the vulnerability known with following symbolic links. 27a08b4a9fSPeter MaydellIntention of adding a new filesystem type is to allow qemu to run 28a08b4a9fSPeter Maydellin non-root mode, but doing privileged operations using socket IO. 29a08b4a9fSPeter Maydell 30a08b4a9fSPeter MaydellProxy helper (a stand alone binary part of qemu) is invoked with 31a08b4a9fSPeter Maydellroot privileges. Proxy helper chroots into 9p export path and creates 32a08b4a9fSPeter Maydella socket pair or a named socket based on the command line parameter. 33a08b4a9fSPeter MaydellQEMU and proxy helper communicate using this socket. QEMU proxy fs 34a08b4a9fSPeter Maydelldriver sends filesystem request to proxy helper and receives the 35a08b4a9fSPeter Maydellresponse from it. 36a08b4a9fSPeter Maydell 37a08b4a9fSPeter MaydellThe proxy helper is designed so that it can drop root privileges except 38a08b4a9fSPeter Maydellfor the capabilities needed for doing filesystem operations. 39a08b4a9fSPeter Maydell 40a08b4a9fSPeter MaydellOptions 41a08b4a9fSPeter Maydell------- 42a08b4a9fSPeter Maydell 43a08b4a9fSPeter MaydellThe following options are supported: 44a08b4a9fSPeter Maydell 45a08b4a9fSPeter Maydell.. program:: virtfs-proxy-helper 46a08b4a9fSPeter Maydell 47a08b4a9fSPeter Maydell.. option:: -h 48a08b4a9fSPeter Maydell 49a08b4a9fSPeter Maydell Display help and exit 50a08b4a9fSPeter Maydell 51a08b4a9fSPeter Maydell.. option:: -p, --path PATH 52a08b4a9fSPeter Maydell 53a08b4a9fSPeter Maydell Path to export for proxy filesystem driver 54a08b4a9fSPeter Maydell 55a08b4a9fSPeter Maydell.. option:: -f, --fd SOCKET_ID 56a08b4a9fSPeter Maydell 57a08b4a9fSPeter Maydell Use given file descriptor as socket descriptor for communicating with 58a08b4a9fSPeter Maydell qemu proxy fs drier. Usually a helper like libvirt will create 59a08b4a9fSPeter Maydell socketpair and pass one of the fds as parameter to this option. 60a08b4a9fSPeter Maydell 61a08b4a9fSPeter Maydell.. option:: -s, --socket SOCKET_FILE 62a08b4a9fSPeter Maydell 63a08b4a9fSPeter Maydell Creates named socket file for communicating with qemu proxy fs driver 64a08b4a9fSPeter Maydell 65a08b4a9fSPeter Maydell.. option:: -u, --uid UID 66a08b4a9fSPeter Maydell 67a08b4a9fSPeter Maydell uid to give access to named socket file; used in combination with -g. 68a08b4a9fSPeter Maydell 69a08b4a9fSPeter Maydell.. option:: -g, --gid GID 70a08b4a9fSPeter Maydell 71a08b4a9fSPeter Maydell gid to give access to named socket file; used in combination with -u. 72a08b4a9fSPeter Maydell 73a08b4a9fSPeter Maydell.. option:: -n, --nodaemon 74a08b4a9fSPeter Maydell 75a08b4a9fSPeter Maydell Run as a normal program. By default program will run in daemon mode 76