|  | QEMU 9p virtfs proxy filesystem helper | 
|  | ====================================== | 
|  |  | 
|  | Synopsis | 
|  | -------- | 
|  |  | 
|  | **virtfs-proxy-helper** [*OPTIONS*] | 
|  |  | 
|  | Description | 
|  | ----------- | 
|  |  | 
|  | Pass-through security model in QEMU 9p server needs root privilege to do | 
|  | few file operations (like chown, chmod to any mode/uid:gid).  There are two | 
|  | issues in pass-through security model: | 
|  |  | 
|  | - TOCTTOU vulnerability: Following symbolic links in the server could | 
|  | provide access to files beyond 9p export path. | 
|  |  | 
|  | - Running QEMU with root privilege could be a security issue. | 
|  |  | 
|  | To overcome above issues, following approach is used: A new filesystem | 
|  | type 'proxy' is introduced. Proxy FS uses chroot + socket combination | 
|  | for securing the vulnerability known with following symbolic links. | 
|  | Intention of adding a new filesystem type is to allow qemu to run | 
|  | in non-root mode, but doing privileged operations using socket IO. | 
|  |  | 
|  | Proxy helper (a stand alone binary part of qemu) is invoked with | 
|  | root privileges. Proxy helper chroots into 9p export path and creates | 
|  | a socket pair or a named socket based on the command line parameter. | 
|  | QEMU and proxy helper communicate using this socket. QEMU proxy fs | 
|  | driver sends filesystem request to proxy helper and receives the | 
|  | response from it. | 
|  |  | 
|  | The proxy helper is designed so that it can drop root privileges except | 
|  | for the capabilities needed for doing filesystem operations. | 
|  |  | 
|  | Options | 
|  | ------- | 
|  |  | 
|  | The following options are supported: | 
|  |  | 
|  | .. program:: virtfs-proxy-helper | 
|  |  | 
|  | .. option:: -h | 
|  |  | 
|  | Display help and exit | 
|  |  | 
|  | .. option:: -p, --path PATH | 
|  |  | 
|  | Path to export for proxy filesystem driver | 
|  |  | 
|  | .. option:: -f, --fd SOCKET_ID | 
|  |  | 
|  | Use given file descriptor as socket descriptor for communicating with | 
|  | qemu proxy fs drier. Usually a helper like libvirt will create | 
|  | socketpair and pass one of the fds as parameter to this option. | 
|  |  | 
|  | .. option:: -s, --socket SOCKET_FILE | 
|  |  | 
|  | Creates named socket file for communicating with qemu proxy fs driver | 
|  |  | 
|  | .. option:: -u, --uid UID | 
|  |  | 
|  | uid to give access to named socket file; used in combination with -g. | 
|  |  | 
|  | .. option:: -g, --gid GID | 
|  |  | 
|  | gid to give access to named socket file; used in combination with -u. | 
|  |  | 
|  | .. option:: -n, --nodaemon | 
|  |  | 
|  | Run as a normal program. By default program will run in daemon mode |