| @example |
| @c man begin SYNOPSIS |
| @command{virtfs-proxy-helper} @var{options} |
| @c man end |
| @end example |
| |
| @c man begin DESCRIPTION |
| @table @description |
| Pass-through security model in QEMU 9p server needs root privilege to do |
| few file operations (like chown, chmod to any mode/uid:gid). There are two |
| issues in pass-through security model |
| |
| 1) TOCTTOU vulnerability: Following symbolic links in the server could |
| provide access to files beyond 9p export path. |
| |
| 2) Running QEMU with root privilege could be a security issue. |
| |
| To overcome above issues, following approach is used: A new filesytem |
| type 'proxy' is introduced. Proxy FS uses chroot + socket combination |
| for securing the vulnerability known with following symbolic links. |
| Intention of adding a new filesystem type is to allow qemu to run |
| in non-root mode, but doing privileged operations using socket IO. |
| |
| Proxy helper(a stand alone binary part of qemu) is invoked with |
| root privileges. Proxy helper chroots into 9p export path and creates |
| a socket pair or a named socket based on the command line parameter. |
| QEMU and proxy helper communicate using this socket. QEMU proxy fs |
| driver sends filesystem request to proxy helper and receives the |
| response from it. |
| |
| The proxy helper is designed so that it can drop root privileges except |
| for the capabilities needed for doing filesystem operations. |
| |
| @end table |
| @c man end |
| |
| @c man begin OPTIONS |
| The following options are supported: |
| @table @option |
| @item -h |
| @findex -h |
| Display help and exit |
| @item -p|--path path |
| Path to export for proxy filesystem driver |
| @item -f|--fd socket-id |
| Use given file descriptor as socket descriptor for communicating with |
| qemu proxy fs drier. Usually a helper like libvirt will create |
| socketpair and pass one of the fds as parameter to -f|--fd |
| @item -s|--socket socket-file |
| Creates named socket file for communicating with qemu proxy fs driver |
| @item -u|--uid uid -g|--gid gid |
| uid:gid combination to give access to named socket file |
| @item -n|--nodaemon |
| Run as a normal program. By default program will run in daemon mode |
| @end table |
| @c man end |
| |
| @setfilename virtfs-proxy-helper |
| @settitle QEMU 9p virtfs proxy filesystem helper |
| |
| @c man begin AUTHOR |
| M. Mohan Kumar |
| @c man end |