[mirror_qemu.git] / docs / tools / virtfs-proxy-helper.rst

QEMU 9p virtfs proxy filesystem helper
======================================

Synopsis
--------

**virtfs-proxy-helper** [*OPTIONS*]

Description
-----------

Pass-through security model in QEMU 9p server needs root privilege to do
few file operations (like chown, chmod to any mode/uid:gid).  There are two
issues in pass-through security model:

- TOCTTOU vulnerability: Following symbolic links in the server could
  provide access to files beyond 9p export path.

- Running QEMU with root privilege could be a security issue.

To overcome above issues, following approach is used: A new filesystem
type 'proxy' is introduced. Proxy FS uses chroot + socket combination
for securing the vulnerability known with following symbolic links.
Intention of adding a new filesystem type is to allow qemu to run
in non-root mode, but doing privileged operations using socket IO.

Proxy helper (a stand alone binary part of qemu) is invoked with
root privileges. Proxy helper chroots into 9p export path and creates
a socket pair or a named socket based on the command line parameter.
QEMU and proxy helper communicate using this socket. QEMU proxy fs
driver sends filesystem request to proxy helper and receives the
response from it.

The proxy helper is designed so that it can drop root privileges except
for the capabilities needed for doing filesystem operations.

Options
-------

The following options are supported:

.. program:: virtfs-proxy-helper

.. option:: -h

  Display help and exit

.. option:: -p, --path PATH

  Path to export for proxy filesystem driver

.. option:: -f, --fd SOCKET_ID

  Use given file descriptor as socket descriptor for communicating with
  qemu proxy fs drier. Usually a helper like libvirt will create
  socketpair and pass one of the fds as parameter to this option.

.. option:: -s, --socket SOCKET_FILE

  Creates named socket file for communicating with qemu proxy fs driver

.. option:: -u, --uid UID

  uid to give access to named socket file; used in combination with -g.

.. option:: -g, --gid GID

  gid to give access to named socket file; used in combination with -u.

.. option:: -n, --nodaemon

  Run as a normal program. By default program will run in daemon mode
Commit	Line	Data
78813586 PM	1	QEMU 9p virtfs proxy filesystem helper
	2	======================================
	3
	4	Synopsis
	5	--------
	6
	7	virtfs-proxy-helper [OPTIONS]
	8
	9	Description
	10	-----------
	11
	12	Pass-through security model in QEMU 9p server needs root privilege to do
	13	few file operations (like chown, chmod to any mode/uid:gid). There are two
	14	issues in pass-through security model:
	15
	16	- TOCTTOU vulnerability: Following symbolic links in the server could
	17	provide access to files beyond 9p export path.
	18
	19	- Running QEMU with root privilege could be a security issue.
	20
	21	To overcome above issues, following approach is used: A new filesystem
	22	type 'proxy' is introduced. Proxy FS uses chroot + socket combination
	23	for securing the vulnerability known with following symbolic links.
	24	Intention of adding a new filesystem type is to allow qemu to run
	25	in non-root mode, but doing privileged operations using socket IO.
	26
	27	Proxy helper (a stand alone binary part of qemu) is invoked with
	28	root privileges. Proxy helper chroots into 9p export path and creates
	29	a socket pair or a named socket based on the command line parameter.
	30	QEMU and proxy helper communicate using this socket. QEMU proxy fs
	31	driver sends filesystem request to proxy helper and receives the
	32	response from it.
	33
	34	The proxy helper is designed so that it can drop root privileges except
	35	for the capabilities needed for doing filesystem operations.
	36
	37	Options
	38	-------
	39
	40	The following options are supported:
	41
	42	.. program:: virtfs-proxy-helper
	43
	44	.. option:: -h
	45
	46	Display help and exit
	47
	48	.. option:: -p, --path PATH
	49
	50	Path to export for proxy filesystem driver
	51
	52	.. option:: -f, --fd SOCKET_ID
	53
	54	Use given file descriptor as socket descriptor for communicating with
	55	qemu proxy fs drier. Usually a helper like libvirt will create
	56	socketpair and pass one of the fds as parameter to this option.
	57
	58	.. option:: -s, --socket SOCKET_FILE
	59
	60	Creates named socket file for communicating with qemu proxy fs driver
	61
	62	.. option:: -u, --uid UID
	63
	64	uid to give access to named socket file; used in combination with -g.
65
66	.. option:: -g, --gid GID
67
68	gid to give access to named socket file; used in combination with -u.
69
70	.. option:: -n, --nodaemon
71
72	Run as a normal program. By default program will run in daemon mode