As recent CVE-2023-2861 (fixed by
f6b0de53fb) once again showed, the 9p
'proxy' fs driver is in bad shape. Using the 'proxy' backend was already
discouraged for safety reasons before and we recommended to use the
'local' backend (preferably in conjunction with its 'mapped' security
model) instead, but now it is time to officially deprecate the 'proxy'
backend.
Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <E1qDkmw-0007M1-8f@lizzy.crudebyte.com>
W: https://wiki.qemu.org/Documentation/9p
F: hw/9pfs/
X: hw/9pfs/xen-9p*
+X: hw/9pfs/9p-proxy*
F: fsdev/
-F: docs/tools/virtfs-proxy-helper.rst
+X: fsdev/virtfs-proxy-helper.c
F: tests/qtest/virtio-9p-test.c
F: tests/qtest/libqos/virtio-9p*
T: git https://gitlab.com/gkurz/qemu.git 9p-next
T: git https://github.com/cschoenebeck/qemu.git 9p.next
+virtio-9p-proxy
+F: hw/9pfs/9p-proxy*
+F: fsdev/virtfs-proxy-helper.c
+F: docs/tools/virtfs-proxy-helper.rst
+S: Obsolete
+
virtio-blk
M: Stefan Hajnoczi <stefanha@redhat.com>
L: qemu-block@nongnu.org
between persistent and volatile memory backends. As such, memdev is deprecated
in favor of persistent-memdev.
+``-fsdev proxy`` and ``-virtfs proxy`` (since 8.1)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The 9p ``proxy`` filesystem backend driver has been deprecated and will be
+removed (along with its proxy helper daemon) in a future version of QEMU. Please
+use ``-fsdev local`` or ``-virtfs local`` for using the 9p ``local`` filesystem
+backend, or alternatively consider deploying virtiofsd instead.
+
+The 9p ``proxy`` backend was originally developed as an alternative to the 9p
+``local`` backend. The idea was to enhance security by dispatching actual low
+level filesystem operations from 9p server (QEMU process) over to a separate
+process (the virtfs-proxy-helper binary). However this alternative never gained
+momentum. The proxy backend is much slower than the local backend, hasn't seen
+any development in years, and showed to be less secure, especially due to the
+fact that its helper daemon must be run as root, whereas with the local backend
+QEMU is typically run as unprivileged user and allows to tighten behaviour by
+mapping permissions et al by using its 'mapped' security model option.
+
+Nowadays it would make sense to reimplement the ``proxy`` backend by using
+QEMU's ``vhost`` feature, which would eliminate the high latency costs under
+which the 9p ``proxy`` backend currently suffers. However as of to date nobody
+has indicated plans for such kind of reimplemention unfortunately.
+
Block device options
''''''''''''''''''''
Description
-----------
+NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
+removed, along with this daemon, in a future version of QEMU!
+
Pass-through security model in QEMU 9p server needs root privilege to do
few file operations (like chown, chmod to any mode/uid:gid). There are two
issues in pass-through security model:
}
if (fsdriver) {
+ if (strncmp(fsdriver, "proxy", 5) == 0) {
+ warn_report(
+ "'-fsdev proxy' and '-virtfs proxy' are deprecated, use "
+ "'local' instead of 'proxy, or consider deploying virtiofsd "
+ "as alternative to 9p"
+ );
+ }
+
for (i = 0; i < ARRAY_SIZE(FsDrivers); i++) {
if (strcmp(FsDrivers[i].name, fsdriver) == 0) {
break;
* the COPYING file in the top-level directory.
*/
+/*
+ * NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
+ * removed in a future version of QEMU!
+ */
+
#include "qemu/osdep.h"
#include <glib/gstdio.h>
#include <sys/resource.h>
struct statfs st_fs;
#endif
+ fprintf(stderr, "NOTE: The 9p 'proxy' backend is deprecated (since "
+ "QEMU 8.1) and will be removed in a future version of "
+ "QEMU!\n");
+
prog_name = g_path_get_basename(argv[0]);
is_daemon = true;
* https://wiki.qemu.org/Documentation/9p
*/
+/*
+ * NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
+ * removed in a future version of QEMU!
+ */
+
#include "qemu/osdep.h"
#include <sys/socket.h>
#include <sys/un.h>
* the COPYING file in the top-level directory.
*/
+/*
+ * NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
+ * removed in a future version of QEMU!
+ */
+
#ifndef QEMU_9P_PROXY_H
#define QEMU_9P_PROXY_H
summary_info += {'Block whitelist (ro)': get_option('block_drv_ro_whitelist')}
summary_info += {'Use block whitelist in tools': get_option('block_drv_whitelist_in_tools')}
summary_info += {'VirtFS (9P) support': have_virtfs}
- summary_info += {'VirtFS (9P) Proxy Helper support': have_virtfs_proxy_helper}
+ summary_info += {'VirtFS (9P) Proxy Helper support (deprecated)': have_virtfs_proxy_helper}
summary_info += {'Live block migration': config_host_data.get('CONFIG_LIVE_BLOCK_MIGRATION')}
summary_info += {'replication support': config_host_data.get('CONFIG_REPLICATION')}
summary_info += {'bochs support': get_option('bochs').allowed()}
Accesses to the filesystem are done by QEMU.
``proxy``
- Accesses to the filesystem are done by virtfs-proxy-helper(1).
+ Accesses to the filesystem are done by virtfs-proxy-helper(1). This
+ option is deprecated (since QEMU 8.1) and will be removed in a future
+ version of QEMU. Use ``local`` instead.
``synth``
Synthetic filesystem, only used by QTests.
``proxy``
Accesses to the filesystem are done by virtfs-proxy-helper(1).
+ This option is deprecated (since QEMU 8.1) and will be removed in a
+ future version of QEMU. Use ``local`` instead.
``synth``
Synthetic filesystem, only used by QTests.
projects / mirror_qemu.git / commitdiff