docs/tools/virtfs-proxy-helper.rst - qemu - Git at Google

 QEMU 9p virtfs proxy filesystem helper
 ======================================

 Synopsis
 --------

 **virtfs-proxy-helper** [*OPTIONS*]

 Description
 -----------

 NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
 removed, along with this daemon, in a future version of QEMU!

 Pass-through security model in QEMU 9p server needs root privilege to do
 few file operations (like chown, chmod to any mode/uid:gid).  There are two
 issues in pass-through security model:

 - TOCTTOU vulnerability: Following symbolic links in the server could
   provide access to files beyond 9p export path.

 - Running QEMU with root privilege could be a security issue.

 To overcome above issues, following approach is used: A new filesystem
 type 'proxy' is introduced. Proxy FS uses chroot + socket combination
 for securing the vulnerability known with following symbolic links.
 Intention of adding a new filesystem type is to allow qemu to run
 in non-root mode, but doing privileged operations using socket IO.

 Proxy helper (a stand alone binary part of qemu) is invoked with
 root privileges. Proxy helper chroots into 9p export path and creates
 a socket pair or a named socket based on the command line parameter.
 QEMU and proxy helper communicate using this socket. QEMU proxy fs
 driver sends filesystem request to proxy helper and receives the
 response from it.

 The proxy helper is designed so that it can drop root privileges except
 for the capabilities needed for doing filesystem operations.

 Options
 -------

 The following options are supported:

 .. program:: virtfs-proxy-helper

 .. option:: -h

   Display help and exit

 .. option:: -p, --path PATH

   Path to export for proxy filesystem driver

 .. option:: -f, --fd SOCKET_ID

   Use given file descriptor as socket descriptor for communicating with
   qemu proxy fs drier. Usually a helper like libvirt will create
   socketpair and pass one of the fds as parameter to this option.

 .. option:: -s, --socket SOCKET_FILE

   Creates named socket file for communicating with qemu proxy fs driver

 .. option:: -u, --uid UID

   uid to give access to named socket file; used in combination with -g.

 .. option:: -g, --gid GID

   gid to give access to named socket file; used in combination with -u.

 .. option:: -n, --nodaemon

   Run as a normal program. By default program will run in daemon mode
	QEMU 9p virtfs proxy filesystem helper
	======================================

	Synopsis
	--------

	virtfs-proxy-helper [OPTIONS]

	Description
	-----------

	NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
	removed, along with this daemon, in a future version of QEMU!

	Pass-through security model in QEMU 9p server needs root privilege to do
	few file operations (like chown, chmod to any mode/uid:gid). There are two
	issues in pass-through security model:

	- TOCTTOU vulnerability: Following symbolic links in the server could
	provide access to files beyond 9p export path.

	- Running QEMU with root privilege could be a security issue.

	To overcome above issues, following approach is used: A new filesystem
	type 'proxy' is introduced. Proxy FS uses chroot + socket combination
	for securing the vulnerability known with following symbolic links.
	Intention of adding a new filesystem type is to allow qemu to run
	in non-root mode, but doing privileged operations using socket IO.

	Proxy helper (a stand alone binary part of qemu) is invoked with
	root privileges. Proxy helper chroots into 9p export path and creates
	a socket pair or a named socket based on the command line parameter.
	QEMU and proxy helper communicate using this socket. QEMU proxy fs
	driver sends filesystem request to proxy helper and receives the
	response from it.

	The proxy helper is designed so that it can drop root privileges except
	for the capabilities needed for doing filesystem operations.

	Options
	-------

	The following options are supported:

	.. program:: virtfs-proxy-helper

	.. option:: -h

	Display help and exit

	.. option:: -p, --path PATH

	Path to export for proxy filesystem driver

	.. option:: -f, --fd SOCKET_ID

	Use given file descriptor as socket descriptor for communicating with
	qemu proxy fs drier. Usually a helper like libvirt will create
	socketpair and pass one of the fds as parameter to this option.

	.. option:: -s, --socket SOCKET_FILE

	Creates named socket file for communicating with qemu proxy fs driver

	.. option:: -u, --uid UID

	uid to give access to named socket file; used in combination with -g.

	.. option:: -g, --gid GID

	gid to give access to named socket file; used in combination with -u.

	.. option:: -n, --nodaemon

	Run as a normal program. By default program will run in daemon mode