3 @command{virtfs-proxy-helper} @var{options}
7 @c man begin DESCRIPTION
9 Pass-through security model in QEMU 9p server needs root privilege to do
10 few file operations (like chown, chmod to any mode/uid:gid). There are two
11 issues in pass-through security model
13 1) TOCTTOU vulnerability: Following symbolic links in the server could
14 provide access to files beyond 9p export path.
16 2) Running QEMU with root privilege could be a security issue.
18 To overcome above issues, following approach is used: A new filesystem
19 type 'proxy' is introduced. Proxy FS uses chroot + socket combination
20 for securing the vulnerability known with following symbolic links.
21 Intention of adding a new filesystem type is to allow qemu to run
22 in non-root mode, but doing privileged operations using socket IO.
24 Proxy helper(a stand alone binary part of qemu) is invoked with
25 root privileges. Proxy helper chroots into 9p export path and creates
26 a socket pair or a named socket based on the command line parameter.
27 QEMU and proxy helper communicate using this socket. QEMU proxy fs
28 driver sends filesystem request to proxy helper and receives the
31 The proxy helper is designed so that it can drop root privileges except
32 for the capabilities needed for doing filesystem operations.
38 The following options are supported:
44 Path to export for proxy filesystem driver
45 @item -f|--fd socket-id
46 Use given file descriptor as socket descriptor for communicating with
47 qemu proxy fs drier. Usually a helper like libvirt will create
48 socketpair and pass one of the fds as parameter to -f|--fd
49 @item -s|--socket socket-file
50 Creates named socket file for communicating with qemu proxy fs driver
51 @item -u|--uid uid -g|--gid gid
52 uid:gid combination to give access to named socket file
54 Run as a normal program. By default program will run in daemon mode
58 @setfilename virtfs-proxy-helper
59 @settitle QEMU 9p virtfs proxy filesystem helper