9p: remove 'proxy' filesystem backend driver

It has been deprecated since 8.1; remove it and suggest using the 'local' file system backend driver instead or virtiofsd. Acked-by: Greg Kurz <groug@kaod.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-09-05 10:19:42 +02:00 · 2024-09-05 10:19:42 +02:00 · ed76671888
commit ed76671888
parent 7e6b5497ea
19 changed files with 14 additions and 2772 deletions
--- a/8
+++ b/8
@ -2258,20 +2258,12 @@ S: Maintained
 W: https://wiki.qemu.org/Documentation/9p
 F: hw/9pfs/
 X: hw/9pfs/xen-9p*
-X: hw/9pfs/9p-proxy*
 F: fsdev/
-X: fsdev/virtfs-proxy-helper.c
 F: tests/qtest/virtio-9p-test.c
 F: tests/qtest/libqos/virtio-9p*
 T: git https://gitlab.com/gkurz/qemu.git 9p-next
 T: git https://github.com/cschoenebeck/qemu.git 9p.next

-virtio-9p-proxy
-F: hw/9pfs/9p-proxy*
-F: fsdev/virtfs-proxy-helper.c
-F: docs/tools/virtfs-proxy-helper.rst
-S: Obsolete
-
 virtio-blk
 M: Stefan Hajnoczi <stefanha@redhat.com>
 L: qemu-block@nongnu.org
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@ -329,28 +329,6 @@ the addition of volatile memory support, it is now necessary to distinguish
 between persistent and volatile memory backends.  As such, memdev is deprecated
 in favor of persistent-memdev.

-``-fsdev proxy`` and ``-virtfs proxy`` (since 8.1)
-^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-
-The 9p ``proxy`` filesystem backend driver has been deprecated and will be
-removed (along with its proxy helper daemon) in a future version of QEMU. Please
-use ``-fsdev local`` or ``-virtfs local`` for using the 9p ``local`` filesystem
-backend, or alternatively consider deploying virtiofsd instead.
-
-The 9p ``proxy`` backend was originally developed as an alternative to the 9p
-``local`` backend. The idea was to enhance security by dispatching actual low
-level filesystem operations from 9p server (QEMU process) over to a separate
-process (the virtfs-proxy-helper binary). However this alternative never gained
-momentum. The proxy backend is much slower than the local backend, hasn't seen
-any development in years, and showed to be less secure, especially due to the
-fact that its helper daemon must be run as root, whereas with the local backend
-QEMU is typically run as unprivileged user and allows to tighten behaviour by
-mapping permissions et al by using its 'mapped' security model option.
-
-Nowadays it would make sense to reimplement the ``proxy`` backend by using
-QEMU's ``vhost`` feature, which would eliminate the high latency costs under
-which the 9p ``proxy`` backend currently suffers. However as of to date nobody
-has indicated plans for such kind of reimplementation unfortunately.

 RISC-V CPU properties which start with capital 'Z' (since 8.2)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--- a/docs/about/removed-features.rst
+++ b/docs/about/removed-features.rst
@ -517,6 +517,20 @@ The virtio-blk SCSI passthrough feature is a legacy VIRTIO feature.  VIRTIO 1.0
 and later do not support it because the virtio-scsi device was introduced for
 full SCSI support.  Use virtio-scsi instead when SCSI passthrough is required.

+``-fsdev proxy`` and ``-virtfs proxy`` (since 9.2)
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+The 9p ``proxy`` filesystem backend driver was originally developed to
+enhance security by dispatching low level filesystem operations from 9p
+server (QEMU process) over to a separate process (the virtfs-proxy-helper
+binary). However the proxy backend was much slower than the local backend,
+didn't see any development in years, and showed to be less secure,
+especially due to the fact that its helper daemon must be run as root.
+
+Use ``local``, possibly mapping permissions et al by using its 'mapped'
+security model option, or switch to ``virtiofs``.   The virtiofs daemon
+``virtiofsd`` uses vhost to eliminate the high latency costs of the 9p
+``proxy`` backend.

 User-mode emulator command line arguments
 -----------------------------------------
--- a/docs/conf.py
+++ b/docs/conf.py
@ -275,9 +275,6 @@ man_pages = [
    ('tools/qemu-trace-stap', 'qemu-trace-stap',
     'QEMU SystemTap trace tool',
     [], 1),
-    ('tools/virtfs-proxy-helper', 'virtfs-proxy-helper',
-     'QEMU 9p virtfs proxy filesystem helper',
-     ['M. Mohan Kumar'], 1),
 ]
 man_make_section_directory = False

--- a/docs/meson.build
+++ b/docs/meson.build
@ -54,7 +54,6 @@ if build_docs
        'qemu-pr-helper.8': (have_tools ? 'man8' : ''),
        'qemu-storage-daemon.1': (have_tools ? 'man1' : ''),
        'qemu-trace-stap.1': (stap.found() ? 'man1' : ''),
-        'virtfs-proxy-helper.1': (have_virtfs_proxy_helper ? 'man1' : ''),
        'qemu.1': 'man1',
        'qemu-block-drivers.7': 'man7',
        'qemu-cpu-models.7': 'man7'
--- a/docs/tools/index.rst
+++ b/docs/tools/index.rst
@ -15,5 +15,4 @@ command line utilities and other standalone programs.
   qemu-nbd
   qemu-pr-helper
   qemu-trace-stap
-   virtfs-proxy-helper
   qemu-vmsr-helper
--- a/docs/tools/virtfs-proxy-helper.rst
+++ b/docs/tools/virtfs-proxy-helper.rst
@ -1,75 +0,0 @@
-QEMU 9p virtfs proxy filesystem helper
-======================================
-
-Synopsis
--------
-
-**virtfs-proxy-helper** [*OPTIONS*]
-
-Description
-----------
-
-NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
-removed, along with this daemon, in a future version of QEMU!
-
-Pass-through security model in QEMU 9p server needs root privilege to do
-few file operations (like chown, chmod to any mode/uid:gid).  There are two
-issues in pass-through security model:
-
- TOCTTOU vulnerability: Following symbolic links in the server could
-  provide access to files beyond 9p export path.
-
- Running QEMU with root privilege could be a security issue.
-
-To overcome above issues, following approach is used: A new filesystem
-type 'proxy' is introduced. Proxy FS uses chroot + socket combination
-for securing the vulnerability known with following symbolic links.
-Intention of adding a new filesystem type is to allow qemu to run
-in non-root mode, but doing privileged operations using socket IO.
-
-Proxy helper (a stand alone binary part of qemu) is invoked with
-root privileges. Proxy helper chroots into 9p export path and creates
-a socket pair or a named socket based on the command line parameter.
-QEMU and proxy helper communicate using this socket. QEMU proxy fs
-driver sends filesystem request to proxy helper and receives the
-response from it.
-
-The proxy helper is designed so that it can drop root privileges except
-for the capabilities needed for doing filesystem operations.
-
-Options
-------
-
-The following options are supported:
-
-.. program:: virtfs-proxy-helper
-
-.. option:: -h
-
-  Display help and exit
-
-.. option:: -p, --path PATH
-
-  Path to export for proxy filesystem driver
-
-.. option:: -f, --fd SOCKET_ID
-
-  Use given file descriptor as socket descriptor for communicating with
-  qemu proxy fs drier. Usually a helper like libvirt will create
-  socketpair and pass one of the fds as parameter to this option.
-
-.. option:: -s, --socket SOCKET_FILE
-
-  Creates named socket file for communicating with qemu proxy fs driver
-
-.. option:: -u, --uid UID
-
-  uid to give access to named socket file; used in combination with -g.
-
-.. option:: -g, --gid GID
-
-  gid to give access to named socket file; used in combination with -u.
-
-.. option:: -n, --nodaemon
-
-  Run as a normal program. By default program will run in daemon mode
--- a/fsdev/meson.build
+++ b/fsdev/meson.build
@ -8,11 +8,3 @@ fsdev_ss.add(when: ['CONFIG_FSDEV_9P'], if_true: files(
 if host_os in ['linux', 'darwin']
  system_ss.add_all(fsdev_ss)
 endif
-
-if have_virtfs_proxy_helper
-  executable('virtfs-proxy-helper',
-             files('virtfs-proxy-helper.c', '9p-marshal.c', '9p-iov-marshal.c'),
-             dependencies: [qemuutil, libattr, libcap_ng],
-             install: true,
-             install_dir: get_option('libexecdir'))
-endif
--- a/fsdev/qemu-fsdev.c
+++ b/fsdev/qemu-fsdev.c
@ -89,17 +89,6 @@ static FsDriverTable FsDrivers[] = {
            NULL
        },
    },
-    {
-        .name = "proxy",
-        .ops = &proxy_ops,
-        .opts = (const char * []) {
-            COMMON_FS_DRIVER_OPTIONS,
-            "socket",
-            "sock_fd",
-            "writeout",
-            NULL
-        },
-    },
 };

 static int validate_opt(void *opaque, const char *name, const char *value,
@ -133,14 +122,6 @@ int qemu_fsdev_add(QemuOpts *opts, Error **errp)
    }

    if (fsdriver) {
-        if (strncmp(fsdriver, "proxy", 5) == 0) {
-            warn_report(
-                "'-fsdev proxy' and '-virtfs proxy' are deprecated, use "
-                "'local' instead of 'proxy, or consider deploying virtiofsd "
-                "as alternative to 9p"
-            );
-        }
-
        for (i = 0; i < ARRAY_SIZE(FsDrivers); i++) {
            if (strcmp(FsDrivers[i].name, fsdriver) == 0) {
                break;
--- a/fsdev/qemu-fsdev.h
+++ b/fsdev/qemu-fsdev.h
@ -18,5 +18,4 @@ int qemu_fsdev_add(QemuOpts *opts, Error **errp);
 FsDriverEntry *get_fsdev_fsentry(char *id);
 extern FileOperations local_ops;
 extern FileOperations synth_ops;
-extern FileOperations proxy_ops;
 #endif
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
--- a/hw/9pfs/9p-proxy.c
+++ b/hw/9pfs/9p-proxy.c
--- a/hw/9pfs/9p-proxy.h
+++ b/hw/9pfs/9p-proxy.h
@ -1,101 +0,0 @@
-/*
- * 9p Proxy callback
- *
- * Copyright IBM, Corp. 2011
- *
- * Authors:
- * M. Mohan Kumar <mohan@in.ibm.com>
- *
- * This work is licensed under the terms of the GNU GPL, version 2.  See
- * the COPYING file in the top-level directory.
- */
-
-/*
- * NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
- * removed in a future version of QEMU!
- */
-
-#ifndef QEMU_9P_PROXY_H
-#define QEMU_9P_PROXY_H
-
-#define PROXY_MAX_IO_SZ (64 * 1024)
-#define V9FS_FD_VALID INT_MAX
-
-/*
- * proxy iovec only support one element and
- * marsha/unmarshal doesn't do little endian conversion.
- */
-#define proxy_unmarshal(in_sg, offset, fmt, args...) \
-    v9fs_iov_unmarshal(in_sg, 1, offset, 0, fmt, ##args)
-#define proxy_marshal(out_sg, offset, fmt, args...) \
-    v9fs_iov_marshal(out_sg, 1, offset, 0, fmt, ##args)
-
-union MsgControl {
-    struct cmsghdr cmsg;
-    char control[CMSG_SPACE(sizeof(int))];
-};
-
-typedef struct {
-    uint32_t type;
-    uint32_t size;
-} ProxyHeader;
-
-#define PROXY_HDR_SZ (sizeof(ProxyHeader))
-
-enum {
-    T_SUCCESS = 0,
-    T_ERROR,
-    T_OPEN,
-    T_CREATE,
-    T_MKNOD,
-    T_MKDIR,
-    T_SYMLINK,
-    T_LINK,
-    T_LSTAT,
-    T_READLINK,
-    T_STATFS,
-    T_CHMOD,
-    T_CHOWN,
-    T_TRUNCATE,
-    T_UTIME,
-    T_RENAME,
-    T_REMOVE,
-    T_LGETXATTR,
-    T_LLISTXATTR,
-    T_LSETXATTR,
-    T_LREMOVEXATTR,
-    T_GETVERSION,
-};
-
-typedef struct {
-    uint64_t st_dev;
-    uint64_t st_ino;
-    uint64_t st_nlink;
-    uint32_t st_mode;
-    uint32_t st_uid;
-    uint32_t st_gid;
-    uint64_t st_rdev;
-    uint64_t st_size;
-    uint64_t st_blksize;
-    uint64_t st_blocks;
-    uint64_t st_atim_sec;
-    uint64_t st_atim_nsec;
-    uint64_t st_mtim_sec;
-    uint64_t st_mtim_nsec;
-    uint64_t st_ctim_sec;
-    uint64_t st_ctim_nsec;
-} ProxyStat;
-
-typedef struct {
-    uint64_t f_type;
-    uint64_t f_bsize;
-    uint64_t f_blocks;
-    uint64_t f_bfree;
-    uint64_t f_bavail;
-    uint64_t f_files;
-    uint64_t f_ffree;
-    uint64_t f_fsid[2];
-    uint64_t f_namelen;
-    uint64_t f_frsize;
-} ProxyStatFS;
-#endif
--- a/hw/9pfs/meson.build
+++ b/hw/9pfs/meson.build
@ -2,7 +2,6 @@ fs_ss = ss.source_set()
 fs_ss.add(files(
  '9p-local.c',
  '9p-posix-acl.c',
-  '9p-proxy.c',
  '9p-synth.c',
  '9p-xattr-user.c',
  '9p-xattr.c',
--- a/meson.build
+++ b/meson.build
@ -2219,13 +2219,6 @@ have_virtfs = get_option('virtfs') \
    .disable_auto_if(not have_tools and not have_system) \
    .allowed()

-have_virtfs_proxy_helper = get_option('virtfs_proxy_helper') \
-    .require(host_os != 'darwin', error_message: 'the virtfs proxy helper is incompatible with macOS') \
-    .require(have_virtfs, error_message: 'the virtfs proxy helper requires that virtfs is enabled') \
-    .disable_auto_if(not have_tools) \
-    .require(libcap_ng.found(), error_message: 'the virtfs proxy helper requires libcap-ng') \
-    .allowed()
-
 qga_fsfreeze = false
 qga_fstrim = false
 if host_os == 'linux'
@ -4420,7 +4413,6 @@ if have_block
  summary_info += {'Block whitelist (ro)': get_option('block_drv_ro_whitelist')}
  summary_info += {'Use block whitelist in tools': get_option('block_drv_whitelist_in_tools')}
  summary_info += {'VirtFS (9P) support':    have_virtfs}
-  summary_info += {'VirtFS (9P) Proxy Helper support (deprecated)': have_virtfs_proxy_helper}
  summary_info += {'replication support': config_host_data.get('CONFIG_REPLICATION')}
  summary_info += {'bochs support':     get_option('bochs').allowed()}
  summary_info += {'cloop support':     get_option('cloop').allowed()}
--- a/meson_options.txt
+++ b/meson_options.txt
@ -305,8 +305,6 @@ option('vhost_user_blk_server', type: 'feature', value: 'auto',
       description: 'build vhost-user-blk server')
 option('virtfs', type: 'feature', value: 'auto',
       description: 'virtio-9p support')
-option('virtfs_proxy_helper', type: 'feature', value: 'auto',
-       description: 'virtio-9p proxy helper support')
 option('libvduse', type: 'feature', value: 'auto',
       description: 'build VDUSE Library')
 option('vduse_blk_export', type: 'feature', value: 'auto',
--- a/qemu-options.hx
+++ b/qemu-options.hx
@ -1766,29 +1766,18 @@ DEF("fsdev", HAS_ARG, QEMU_OPTION_fsdev,
    " [[,throttling.bps-total-max=bm]|[[,throttling.bps-read-max=rm][,throttling.bps-write-max=wm]]]\n"
    " [[,throttling.iops-total-max=im]|[[,throttling.iops-read-max=irm][,throttling.iops-write-max=iwm]]]\n"
    " [[,throttling.iops-size=is]]\n"
-    "-fsdev proxy,id=id,socket=socket[,writeout=immediate][,readonly=on]\n"
-    "-fsdev proxy,id=id,sock_fd=sock_fd[,writeout=immediate][,readonly=on]\n"
    "-fsdev synth,id=id\n",
    QEMU_ARCH_ALL)

 SRST
 ``-fsdev local,id=id,path=path,security_model=security_model [,writeout=writeout][,readonly=on][,fmode=fmode][,dmode=dmode] [,throttling.option=value[,throttling.option=value[,...]]]``
  \ 
-``-fsdev proxy,id=id,socket=socket[,writeout=writeout][,readonly=on]``
-  \
-``-fsdev proxy,id=id,sock_fd=sock_fd[,writeout=writeout][,readonly=on]``
-  \
 ``-fsdev synth,id=id[,readonly=on]``
    Define a new file system device. Valid options are:

    ``local``
        Accesses to the filesystem are done by QEMU.

-    ``proxy``
-        Accesses to the filesystem are done by virtfs-proxy-helper(1). This
-        option is deprecated (since QEMU 8.1) and will be removed in a future
-        version of QEMU. Use ``local`` instead.
-
    ``synth``
        Synthetic filesystem, only used by QTests.

@ -1813,8 +1802,6 @@ SRST
        security model is same as passthrough except the sever won't
        report failures if it fails to set file attributes like
        ownership. Security model is mandatory only for local fsdriver.
-        Other fsdrivers (like proxy) don't take security model as a
-        parameter.

    ``writeout=writeout``
        This is an optional argument. The only supported value is
@ -1827,16 +1814,6 @@ SRST
        Enables exporting 9p share as a readonly mount for guests. By
        default read-write access is given.

-    ``socket=socket``
-        Enables proxy filesystem driver to use passed socket file for
-        communicating with virtfs-proxy-helper(1).
-
-    ``sock_fd=sock_fd``
-        Enables proxy filesystem driver to use passed socket descriptor
-        for communicating with virtfs-proxy-helper(1). Usually a helper
-        like libvirt will create socketpair and pass one of the fds as
-        sock\_fd.
-
    ``fmode=fmode``
        Specifies the default mode for newly created files on the host.
        Works only with security models "mapped-xattr" and
@ -1889,18 +1866,12 @@ ERST
 DEF("virtfs", HAS_ARG, QEMU_OPTION_virtfs,
    "-virtfs local,path=path,mount_tag=tag,security_model=mapped-xattr|mapped-file|passthrough|none\n"
    "        [,id=id][,writeout=immediate][,readonly=on][,fmode=fmode][,dmode=dmode][,multidevs=remap|forbid|warn]\n"
-    "-virtfs proxy,mount_tag=tag,socket=socket[,id=id][,writeout=immediate][,readonly=on]\n"
-    "-virtfs proxy,mount_tag=tag,sock_fd=sock_fd[,id=id][,writeout=immediate][,readonly=on]\n"
    "-virtfs synth,mount_tag=tag[,id=id][,readonly=on]\n",
    QEMU_ARCH_ALL)

 SRST
 ``-virtfs local,path=path,mount_tag=mount_tag ,security_model=security_model[,writeout=writeout][,readonly=on] [,fmode=fmode][,dmode=dmode][,multidevs=multidevs]``
  \ 
-``-virtfs proxy,socket=socket,mount_tag=mount_tag [,writeout=writeout][,readonly=on]``
-  \ 
-``-virtfs proxy,sock_fd=sock_fd,mount_tag=mount_tag [,writeout=writeout][,readonly=on]``
-  \
 ``-virtfs synth,mount_tag=mount_tag``
    Define a new virtual filesystem device and expose it to the guest using
    a virtio-9p-device (a.k.a. 9pfs), which essentially means that a certain
@ -1917,11 +1888,6 @@ SRST
    ``local``
        Accesses to the filesystem are done by QEMU.

-    ``proxy``
-        Accesses to the filesystem are done by virtfs-proxy-helper(1).
-        This option is deprecated (since QEMU 8.1) and will be removed in a
-        future version of QEMU. Use ``local`` instead.
-
    ``synth``
        Synthetic filesystem, only used by QTests.

@ -1946,8 +1912,6 @@ SRST
        security model is same as passthrough except the sever won't
        report failures if it fails to set file attributes like
        ownership. Security model is mandatory only for local fsdriver.
-        Other fsdrivers (like proxy) don't take security model as a
-        parameter.

    ``writeout=writeout``
        This is an optional argument. The only supported value is
@ -1960,16 +1924,6 @@ SRST
        Enables exporting 9p share as a readonly mount for guests. By
        default read-write access is given.

-    ``socket=socket``
-        Enables proxy filesystem driver to use passed socket file for
-        communicating with virtfs-proxy-helper(1). Usually a helper like
-        libvirt will create socketpair and pass one of the fds as
-        sock\_fd.
-
-    ``sock_fd``
-        Enables proxy filesystem driver to use passed 'sock\_fd' as the
-        socket descriptor for interfacing with virtfs-proxy-helper(1).
-
    ``fmode=fmode``
        Specifies the default mode for newly created files on the host.
        Works only with security models "mapped-xattr" and
--- a/scripts/meson-buildoptions.
+++ b/scripts/meson-buildoptions.
--- a/scripts/meson-buildoptions.sh
+++ b/scripts/meson-buildoptions.sh
@ -208,8 +208,6 @@ meson_options_help() {
  printf "%s\n" '  vhost-vdpa      vhost-vdpa kernel backend support'
  printf "%s\n" '  virglrenderer   virgl rendering support'
  printf "%s\n" '  virtfs          virtio-9p support'
-  printf "%s\n" '  virtfs-proxy-helper'
-  printf "%s\n" '                  virtio-9p proxy helper support'
  printf "%s\n" '  vmdk            vmdk image format support'
  printf "%s\n" '  vmnet           vmnet.framework network backend support'
  printf "%s\n" '  vnc             VNC server'
@ -539,8 +537,6 @@ _meson_option_parse() {
    --disable-virglrenderer) printf "%s" -Dvirglrenderer=disabled ;;
    --enable-virtfs) printf "%s" -Dvirtfs=enabled ;;
    --disable-virtfs) printf "%s" -Dvirtfs=disabled ;;
-    --enable-virtfs-proxy-helper) printf "%s" -Dvirtfs_proxy_helper=enabled ;;
-    --disable-virtfs-proxy-helper) printf "%s" -Dvirtfs_proxy_helper=disabled ;;
    --enable-vmdk) printf "%s" -Dvmdk=enabled ;;
    --disable-vmdk) printf "%s" -Dvmdk=disabled ;;
    --enable-vmnet) printf "%s" -Dvmnet=enabled ;;