]>
Commit | Line | Data |
---|---|---|
78813586 PM |
1 | QEMU 9p virtfs proxy filesystem helper |
2 | ====================================== | |
3 | ||
4 | Synopsis | |
5 | -------- | |
6 | ||
7 | **virtfs-proxy-helper** [*OPTIONS*] | |
8 | ||
9 | Description | |
10 | ----------- | |
11 | ||
12 | Pass-through security model in QEMU 9p server needs root privilege to do | |
13 | few file operations (like chown, chmod to any mode/uid:gid). There are two | |
14 | issues in pass-through security model: | |
15 | ||
16 | - TOCTTOU vulnerability: Following symbolic links in the server could | |
17 | provide access to files beyond 9p export path. | |
18 | ||
19 | - Running QEMU with root privilege could be a security issue. | |
20 | ||
21 | To overcome above issues, following approach is used: A new filesystem | |
22 | type 'proxy' is introduced. Proxy FS uses chroot + socket combination | |
23 | for securing the vulnerability known with following symbolic links. | |
24 | Intention of adding a new filesystem type is to allow qemu to run | |
25 | in non-root mode, but doing privileged operations using socket IO. | |
26 | ||
27 | Proxy helper (a stand alone binary part of qemu) is invoked with | |
28 | root privileges. Proxy helper chroots into 9p export path and creates | |
29 | a socket pair or a named socket based on the command line parameter. | |
30 | QEMU and proxy helper communicate using this socket. QEMU proxy fs | |
31 | driver sends filesystem request to proxy helper and receives the | |
32 | response from it. | |
33 | ||
34 | The proxy helper is designed so that it can drop root privileges except | |
35 | for the capabilities needed for doing filesystem operations. | |
36 | ||
37 | Options | |
38 | ------- | |
39 | ||
40 | The following options are supported: | |
41 | ||
42 | .. program:: virtfs-proxy-helper | |
43 | ||
44 | .. option:: -h | |
45 | ||
46 | Display help and exit | |
47 | ||
48 | .. option:: -p, --path PATH | |
49 | ||
50 | Path to export for proxy filesystem driver | |
51 | ||
52 | .. option:: -f, --fd SOCKET_ID | |
53 | ||
54 | Use given file descriptor as socket descriptor for communicating with | |
55 | qemu proxy fs drier. Usually a helper like libvirt will create | |
56 | socketpair and pass one of the fds as parameter to this option. | |
57 | ||
58 | .. option:: -s, --socket SOCKET_FILE | |
59 | ||
60 | Creates named socket file for communicating with qemu proxy fs driver | |
61 | ||
62 | .. option:: -u, --uid UID | |
63 | ||
64 | uid to give access to named socket file; used in combination with -g. | |
65 | ||
66 | .. option:: -g, --gid GID | |
67 | ||
68 | gid to give access to named socket file; used in combination with -u. | |
69 | ||
70 | .. option:: -n, --nodaemon | |
71 | ||
72 | Run as a normal program. By default program will run in daemon mode |