M. Mohan Kumar | a2d8f1b | 2011-12-14 13:58:47 +0530 | [diff] [blame] | 1 | @example |
| 2 | @c man begin SYNOPSIS |
Sitsofe Wheeler | 8485140 | 2016-01-13 20:50:26 +0000 | [diff] [blame] | 3 | @command{virtfs-proxy-helper} @var{options} |
M. Mohan Kumar | a2d8f1b | 2011-12-14 13:58:47 +0530 | [diff] [blame] | 4 | @c man end |
| 5 | @end example |
| 6 | |
| 7 | @c man begin DESCRIPTION |
| 8 | @table @description |
| 9 | Pass-through security model in QEMU 9p server needs root privilege to do |
| 10 | few file operations (like chown, chmod to any mode/uid:gid). There are two |
| 11 | issues in pass-through security model |
| 12 | |
| 13 | 1) TOCTTOU vulnerability: Following symbolic links in the server could |
| 14 | provide access to files beyond 9p export path. |
| 15 | |
| 16 | 2) Running QEMU with root privilege could be a security issue. |
| 17 | |
Michael Tokarev | 395fe5f | 2016-05-18 16:12:21 +0300 | [diff] [blame] | 18 | To overcome above issues, following approach is used: A new filesystem |
M. Mohan Kumar | a2d8f1b | 2011-12-14 13:58:47 +0530 | [diff] [blame] | 19 | type 'proxy' is introduced. Proxy FS uses chroot + socket combination |
| 20 | for securing the vulnerability known with following symbolic links. |
| 21 | Intention of adding a new filesystem type is to allow qemu to run |
| 22 | in non-root mode, but doing privileged operations using socket IO. |
| 23 | |
| 24 | Proxy helper(a stand alone binary part of qemu) is invoked with |
| 25 | root privileges. Proxy helper chroots into 9p export path and creates |
| 26 | a socket pair or a named socket based on the command line parameter. |
Stefan Weil | 071c939 | 2012-04-07 09:23:36 +0200 | [diff] [blame] | 27 | QEMU and proxy helper communicate using this socket. QEMU proxy fs |
M. Mohan Kumar | a2d8f1b | 2011-12-14 13:58:47 +0530 | [diff] [blame] | 28 | driver sends filesystem request to proxy helper and receives the |
| 29 | response from it. |
| 30 | |
Christophe Fergeau | b8d8e8f | 2016-01-18 10:51:19 +0100 | [diff] [blame] | 31 | The proxy helper is designed so that it can drop root privileges except |
| 32 | for the capabilities needed for doing filesystem operations. |
M. Mohan Kumar | a2d8f1b | 2011-12-14 13:58:47 +0530 | [diff] [blame] | 33 | |
| 34 | @end table |
| 35 | @c man end |
| 36 | |
| 37 | @c man begin OPTIONS |
| 38 | The following options are supported: |
| 39 | @table @option |
| 40 | @item -h |
| 41 | @findex -h |
| 42 | Display help and exit |
| 43 | @item -p|--path path |
| 44 | Path to export for proxy filesystem driver |
| 45 | @item -f|--fd socket-id |
| 46 | Use given file descriptor as socket descriptor for communicating with |
| 47 | qemu proxy fs drier. Usually a helper like libvirt will create |
| 48 | socketpair and pass one of the fds as parameter to -f|--fd |
M. Mohan Kumar | 84a87cc | 2011-12-14 13:58:47 +0530 | [diff] [blame] | 49 | @item -s|--socket socket-file |
| 50 | Creates named socket file for communicating with qemu proxy fs driver |
| 51 | @item -u|--uid uid -g|--gid gid |
| 52 | uid:gid combination to give access to named socket file |
M. Mohan Kumar | a2d8f1b | 2011-12-14 13:58:47 +0530 | [diff] [blame] | 53 | @item -n|--nodaemon |
| 54 | Run as a normal program. By default program will run in daemon mode |
| 55 | @end table |
| 56 | @c man end |
| 57 | |
| 58 | @setfilename virtfs-proxy-helper |
| 59 | @settitle QEMU 9p virtfs proxy filesystem helper |
| 60 | |
| 61 | @c man begin AUTHOR |
| 62 | M. Mohan Kumar |
| 63 | @c man end |