1@example 2@c man begin SYNOPSIS 3@command{virtfs-proxy-helper} @var{options} 4@c man end 5@end example 6 7@c man begin DESCRIPTION 8@table @description 9Pass-through security model in QEMU 9p server needs root privilege to do 10few file operations (like chown, chmod to any mode/uid:gid). There are two 11issues in pass-through security model 12 131) TOCTTOU vulnerability: Following symbolic links in the server could 14provide access to files beyond 9p export path. 15 162) Running QEMU with root privilege could be a security issue. 17 18To overcome above issues, following approach is used: A new filesystem 19type 'proxy' is introduced. Proxy FS uses chroot + socket combination 20for securing the vulnerability known with following symbolic links. 21Intention of adding a new filesystem type is to allow qemu to run 22in non-root mode, but doing privileged operations using socket IO. 23 24Proxy helper(a stand alone binary part of qemu) is invoked with 25root privileges. Proxy helper chroots into 9p export path and creates 26a socket pair or a named socket based on the command line parameter. 27QEMU and proxy helper communicate using this socket. QEMU proxy fs 28driver sends filesystem request to proxy helper and receives the 29response from it. 30 31The proxy helper is designed so that it can drop root privileges except 32for the capabilities needed for doing filesystem operations. 33 34@end table 35@c man end 36 37@c man begin OPTIONS 38The following options are supported: 39@table @option 40@item -h 41@findex -h 42Display help and exit 43@item -p|--path path 44Path to export for proxy filesystem driver 45@item -f|--fd socket-id 46Use given file descriptor as socket descriptor for communicating with 47qemu proxy fs drier. Usually a helper like libvirt will create 48socketpair and pass one of the fds as parameter to -f|--fd 49@item -s|--socket socket-file 50Creates named socket file for communicating with qemu proxy fs driver 51@item -u|--uid uid -g|--gid gid 52uid:gid combination to give access to named socket file 53@item -n|--nodaemon 54Run as a normal program. By default program will run in daemon mode 55@end table 56@c man end 57 58@setfilename virtfs-proxy-helper 59@settitle QEMU 9p virtfs proxy filesystem helper 60 61@c man begin AUTHOR 62M. Mohan Kumar 63@c man end 64