9p: remove 'proxy' filesystem backend driver

It has been deprecated since 8.1; remove it and suggest using the 'local' file system backend driver instead or virtiofsd. Acked-by: Greg Kurz <groug@kaod.org> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2024-09-05 10:19:42 +02:00 · 2024-09-05 10:19:42 +02:00 · ed76671888
commit ed76671888
parent 7e6b5497ea
19 changed files with 14 additions and 2772 deletions
--- a/8
+++ b/8
@ -2258,20 +2258,12 @@ S: Maintained
 W: https://wiki.qemu.org/Documentation/9p
 F: hw/9pfs/
 X: hw/9pfs/xen-9p*
 X: hw/9pfs/9p-proxy*
 F: fsdev/
 X: fsdev/virtfs-proxy-helper.c
 F: tests/qtest/virtio-9p-test.c
 F: tests/qtest/libqos/virtio-9p*
 T: git https://gitlab.com/gkurz/qemu.git 9p-next
 T: git https://github.com/cschoenebeck/qemu.git 9p.next
 virtio-9p-proxy
 F: hw/9pfs/9p-proxy*
 F: fsdev/virtfs-proxy-helper.c
 F: docs/tools/virtfs-proxy-helper.rst
 S: Obsolete
 virtio-blk
 M: Stefan Hajnoczi <stefanha@redhat.com>
 L: qemu-block@nongnu.org
--- a/docs/about/deprecated.rst
+++ b/docs/about/deprecated.rst
@ -329,28 +329,6 @@ the addition of volatile memory support, it is now necessary to distinguish
 between persistent and volatile memory backends.  As such, memdev is deprecated
 in favor of persistent-memdev.
 ``-fsdev proxy`` and ``-virtfs proxy`` (since 8.1)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 The 9p ``proxy`` filesystem backend driver has been deprecated and will be
 removed (along with its proxy helper daemon) in a future version of QEMU. Please
 use ``-fsdev local`` or ``-virtfs local`` for using the 9p ``local`` filesystem
 backend, or alternatively consider deploying virtiofsd instead.
 The 9p ``proxy`` backend was originally developed as an alternative to the 9p
 ``local`` backend. The idea was to enhance security by dispatching actual low
 level filesystem operations from 9p server (QEMU process) over to a separate
 process (the virtfs-proxy-helper binary). However this alternative never gained
 momentum. The proxy backend is much slower than the local backend, hasn't seen
 any development in years, and showed to be less secure, especially due to the
 fact that its helper daemon must be run as root, whereas with the local backend
 QEMU is typically run as unprivileged user and allows to tighten behaviour by
 mapping permissions et al by using its 'mapped' security model option.
 Nowadays it would make sense to reimplement the ``proxy`` backend by using
 QEMU's ``vhost`` feature, which would eliminate the high latency costs under
 which the 9p ``proxy`` backend currently suffers. However as of to date nobody
 has indicated plans for such kind of reimplementation unfortunately.
 RISC-V CPU properties which start with capital 'Z' (since 8.2)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
--- a/docs/about/removed-features.rst
+++ b/docs/about/removed-features.rst
@ -517,6 +517,20 @@ The virtio-blk SCSI passthrough feature is a legacy VIRTIO feature.  VIRTIO 1.0
 and later do not support it because the virtio-scsi device was introduced for
 full SCSI support.  Use virtio-scsi instead when SCSI passthrough is required.
 ``-fsdev proxy`` and ``-virtfs proxy`` (since 9.2)
 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
 The 9p ``proxy`` filesystem backend driver was originally developed to
 enhance security by dispatching low level filesystem operations from 9p
 server (QEMU process) over to a separate process (the virtfs-proxy-helper
 binary). However the proxy backend was much slower than the local backend,
 didn't see any development in years, and showed to be less secure,
 especially due to the fact that its helper daemon must be run as root.
 Use ``local``, possibly mapping permissions et al by using its 'mapped'
 security model option, or switch to ``virtiofs``.   The virtiofs daemon
 ``virtiofsd`` uses vhost to eliminate the high latency costs of the 9p
 ``proxy`` backend.
 User-mode emulator command line arguments
 -----------------------------------------
--- a/docs/conf.py
+++ b/docs/conf.py
@ -275,9 +275,6 @@ man_pages = [
    ('tools/qemu-trace-stap', 'qemu-trace-stap',
     'QEMU SystemTap trace tool',
     [], 1),
    ('tools/virtfs-proxy-helper', 'virtfs-proxy-helper',
     'QEMU 9p virtfs proxy filesystem helper',
     ['M. Mohan Kumar'], 1),
 ]
 man_make_section_directory = False
--- a/docs/meson.build
+++ b/docs/meson.build
@ -54,7 +54,6 @@ if build_docs
        'qemu-pr-helper.8': (have_tools ? 'man8' : ''),
        'qemu-storage-daemon.1': (have_tools ? 'man1' : ''),
        'qemu-trace-stap.1': (stap.found() ? 'man1' : ''),
        'virtfs-proxy-helper.1': (have_virtfs_proxy_helper ? 'man1' : ''),
        'qemu.1': 'man1',
        'qemu-block-drivers.7': 'man7',
        'qemu-cpu-models.7': 'man7'
--- a/docs/tools/index.rst
+++ b/docs/tools/index.rst
@ -15,5 +15,4 @@ command line utilities and other standalone programs.
   qemu-nbd
   qemu-pr-helper
   qemu-trace-stap
   virtfs-proxy-helper
   qemu-vmsr-helper
--- a/docs/tools/virtfs-proxy-helper.rst
+++ b/docs/tools/virtfs-proxy-helper.rst
@ -1,75 +0,0 @@
 QEMU 9p virtfs proxy filesystem helper
 ======================================
 Synopsis
 --------
 **virtfs-proxy-helper** [*OPTIONS*]
 Description
 -----------
 NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
 removed, along with this daemon, in a future version of QEMU!
 Pass-through security model in QEMU 9p server needs root privilege to do
 few file operations (like chown, chmod to any mode/uid:gid).  There are two
 issues in pass-through security model:
 - TOCTTOU vulnerability: Following symbolic links in the server could
  provide access to files beyond 9p export path.
 - Running QEMU with root privilege could be a security issue.
 To overcome above issues, following approach is used: A new filesystem
 type 'proxy' is introduced. Proxy FS uses chroot + socket combination
 for securing the vulnerability known with following symbolic links.
 Intention of adding a new filesystem type is to allow qemu to run
 in non-root mode, but doing privileged operations using socket IO.
 Proxy helper (a stand alone binary part of qemu) is invoked with
 root privileges. Proxy helper chroots into 9p export path and creates
 a socket pair or a named socket based on the command line parameter.
 QEMU and proxy helper communicate using this socket. QEMU proxy fs
 driver sends filesystem request to proxy helper and receives the
 response from it.
 The proxy helper is designed so that it can drop root privileges except
 for the capabilities needed for doing filesystem operations.
 Options
 -------
 The following options are supported:
 .. program:: virtfs-proxy-helper
 .. option:: -h
  Display help and exit
 .. option:: -p, --path PATH
  Path to export for proxy filesystem driver
 .. option:: -f, --fd SOCKET_ID
  Use given file descriptor as socket descriptor for communicating with
  qemu proxy fs drier. Usually a helper like libvirt will create
  socketpair and pass one of the fds as parameter to this option.
 .. option:: -s, --socket SOCKET_FILE
  Creates named socket file for communicating with qemu proxy fs driver
 .. option:: -u, --uid UID
  uid to give access to named socket file; used in combination with -g.
 .. option:: -g, --gid GID
  gid to give access to named socket file; used in combination with -u.
 .. option:: -n, --nodaemon
  Run as a normal program. By default program will run in daemon mode
--- a/fsdev/meson.build
+++ b/fsdev/meson.build
@ -8,11 +8,3 @@ fsdev_ss.add(when: ['CONFIG_FSDEV_9P'], if_true: files(
 if host_os in ['linux', 'darwin']
  system_ss.add_all(fsdev_ss)
 endif
 if have_virtfs_proxy_helper
  executable('virtfs-proxy-helper',
             files('virtfs-proxy-helper.c', '9p-marshal.c', '9p-iov-marshal.c'),
             dependencies: [qemuutil, libattr, libcap_ng],
             install: true,
             install_dir: get_option('libexecdir'))
 endif
--- a/fsdev/qemu-fsdev.c
+++ b/fsdev/qemu-fsdev.c
@ -89,17 +89,6 @@ static FsDriverTable FsDrivers[] = {
            NULL
        },
    },
    {
        .name = "proxy",
        .ops = &proxy_ops,
        .opts = (const char * []) {
            COMMON_FS_DRIVER_OPTIONS,
            "socket",
            "sock_fd",
            "writeout",
            NULL
        },
    },
 };
 static int validate_opt(void *opaque, const char *name, const char *value,
@ -133,14 +122,6 @@ int qemu_fsdev_add(QemuOpts *opts, Error **errp)
    }
    if (fsdriver) {
        if (strncmp(fsdriver, "proxy", 5) == 0) {
            warn_report(
                "'-fsdev proxy' and '-virtfs proxy' are deprecated, use "
                "'local' instead of 'proxy, or consider deploying virtiofsd "
                "as alternative to 9p"
            );
        }
        for (i = 0; i < ARRAY_SIZE(FsDrivers); i++) {
            if (strcmp(FsDrivers[i].name, fsdriver) == 0) {
                break;
--- a/fsdev/qemu-fsdev.h
+++ b/fsdev/qemu-fsdev.h
@ -18,5 +18,4 @@ int qemu_fsdev_add(QemuOpts *opts, Error **errp);
 FsDriverEntry *get_fsdev_fsentry(char *id);
 extern FileOperations local_ops;
 extern FileOperations synth_ops;
 extern FileOperations proxy_ops;
 #endif
--- a/fsdev/virtfs-proxy-helper.c
+++ b/fsdev/virtfs-proxy-helper.c
--- a/hw/9pfs/9p-proxy.c
+++ b/hw/9pfs/9p-proxy.c
--- a/hw/9pfs/9p-proxy.h
+++ b/hw/9pfs/9p-proxy.h
@ -1,101 +0,0 @@
 /*
 * 9p Proxy callback
 *
 * Copyright IBM, Corp. 2011
 *
 * Authors:
 * M. Mohan Kumar <mohan@in.ibm.com>
 *
 * This work is licensed under the terms of the GNU GPL, version 2.  See
 * the COPYING file in the top-level directory.
 */
 /*
 * NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
 * removed in a future version of QEMU!
 */
 #ifndef QEMU_9P_PROXY_H
 #define QEMU_9P_PROXY_H
 #define PROXY_MAX_IO_SZ (64 * 1024)
 #define V9FS_FD_VALID INT_MAX
 /*
 * proxy iovec only support one element and
 * marsha/unmarshal doesn't do little endian conversion.
 */
 #define proxy_unmarshal(in_sg, offset, fmt, args...) \
    v9fs_iov_unmarshal(in_sg, 1, offset, 0, fmt, ##args)
 #define proxy_marshal(out_sg, offset, fmt, args...) \
    v9fs_iov_marshal(out_sg, 1, offset, 0, fmt, ##args)
 union MsgControl {
    struct cmsghdr cmsg;
    char control[CMSG_SPACE(sizeof(int))];
 };
 typedef struct {
    uint32_t type;
    uint32_t size;
 } ProxyHeader;
 #define PROXY_HDR_SZ (sizeof(ProxyHeader))
 enum {
    T_SUCCESS = 0,
    T_ERROR,
    T_OPEN,
    T_CREATE,
    T_MKNOD,
    T_MKDIR,
    T_SYMLINK,
    T_LINK,
    T_LSTAT,
    T_READLINK,
    T_STATFS,
    T_CHMOD,
    T_CHOWN,
    T_TRUNCATE,
    T_UTIME,
    T_RENAME,
    T_REMOVE,
    T_LGETXATTR,
    T_LLISTXATTR,
    T_LSETXATTR,
    T_LREMOVEXATTR,
    T_GETVERSION,
 };
 typedef struct {
    uint64_t st_dev;
    uint64_t st_ino;
    uint64_t st_nlink;
    uint32_t st_mode;
    uint32_t st_uid;
    uint32_t st_gid;
    uint64_t st_rdev;
    uint64_t st_size;
    uint64_t st_blksize;
    uint64_t st_blocks;
    uint64_t st_atim_sec;
    uint64_t st_atim_nsec;
    uint64_t st_mtim_sec;
    uint64_t st_mtim_nsec;
    uint64_t st_ctim_sec;
    uint64_t st_ctim_nsec;
 } ProxyStat;
 typedef struct {
    uint64_t f_type;
    uint64_t f_bsize;
    uint64_t f_blocks;
    uint64_t f_bfree;
    uint64_t f_bavail;
    uint64_t f_files;
    uint64_t f_ffree;
    uint64_t f_fsid[2];
    uint64_t f_namelen;
    uint64_t f_frsize;
 } ProxyStatFS;
 #endif
--- a/hw/9pfs/meson.build
+++ b/hw/9pfs/meson.build
@ -2,7 +2,6 @@ fs_ss = ss.source_set()
 fs_ss.add(files(
  '9p-local.c',
  '9p-posix-acl.c',
  '9p-proxy.c',
  '9p-synth.c',
  '9p-xattr-user.c',
  '9p-xattr.c',
--- a/meson.build
+++ b/meson.build
@ -2219,13 +2219,6 @@ have_virtfs = get_option('virtfs') \
    .disable_auto_if(not have_tools and not have_system) \
    .allowed()
 have_virtfs_proxy_helper = get_option('virtfs_proxy_helper') \
    .require(host_os != 'darwin', error_message: 'the virtfs proxy helper is incompatible with macOS') \
    .require(have_virtfs, error_message: 'the virtfs proxy helper requires that virtfs is enabled') \
    .disable_auto_if(not have_tools) \
    .require(libcap_ng.found(), error_message: 'the virtfs proxy helper requires libcap-ng') \
    .allowed()
 qga_fsfreeze = false
 qga_fstrim = false
 if host_os == 'linux'
@ -4420,7 +4413,6 @@ if have_block
  summary_info += {'Block whitelist (ro)': get_option('block_drv_ro_whitelist')}
  summary_info += {'Use block whitelist in tools': get_option('block_drv_whitelist_in_tools')}
  summary_info += {'VirtFS (9P) support':    have_virtfs}
  summary_info += {'VirtFS (9P) Proxy Helper support (deprecated)': have_virtfs_proxy_helper}
  summary_info += {'replication support': config_host_data.get('CONFIG_REPLICATION')}
  summary_info += {'bochs support':     get_option('bochs').allowed()}
  summary_info += {'cloop support':     get_option('cloop').allowed()}
--- a/meson_options.txt
+++ b/meson_options.txt
@ -305,8 +305,6 @@ option('vhost_user_blk_server', type: 'feature', value: 'auto',
       description: 'build vhost-user-blk server')
 option('virtfs', type: 'feature', value: 'auto',
       description: 'virtio-9p support')
 option('virtfs_proxy_helper', type: 'feature', value: 'auto',
       description: 'virtio-9p proxy helper support')
 option('libvduse', type: 'feature', value: 'auto',
       description: 'build VDUSE Library')
 option('vduse_blk_export', type: 'feature', value: 'auto',
--- a/qemu-options.hx
+++ b/qemu-options.hx
@ -1766,29 +1766,18 @@ DEF("fsdev", HAS_ARG, QEMU_OPTION_fsdev,
    " [[,throttling.bps-total-max=bm]|[[,throttling.bps-read-max=rm][,throttling.bps-write-max=wm]]]\n"
    " [[,throttling.iops-total-max=im]|[[,throttling.iops-read-max=irm][,throttling.iops-write-max=iwm]]]\n"
    " [[,throttling.iops-size=is]]\n"
    "-fsdev proxy,id=id,socket=socket[,writeout=immediate][,readonly=on]\n"
    "-fsdev proxy,id=id,sock_fd=sock_fd[,writeout=immediate][,readonly=on]\n"
    "-fsdev synth,id=id\n",
    QEMU_ARCH_ALL)
 SRST
 ``-fsdev local,id=id,path=path,security_model=security_model [,writeout=writeout][,readonly=on][,fmode=fmode][,dmode=dmode] [,throttling.option=value[,throttling.option=value[,...]]]``
  \ 
 ``-fsdev proxy,id=id,socket=socket[,writeout=writeout][,readonly=on]``
  \
 ``-fsdev proxy,id=id,sock_fd=sock_fd[,writeout=writeout][,readonly=on]``
  \
 ``-fsdev synth,id=id[,readonly=on]``
    Define a new file system device. Valid options are:
    ``local``
        Accesses to the filesystem are done by QEMU.
    ``proxy``
        Accesses to the filesystem are done by virtfs-proxy-helper(1). This
        option is deprecated (since QEMU 8.1) and will be removed in a future
        version of QEMU. Use ``local`` instead.
    ``synth``
        Synthetic filesystem, only used by QTests.
@ -1813,8 +1802,6 @@ SRST
        security model is same as passthrough except the sever won't
        report failures if it fails to set file attributes like
        ownership. Security model is mandatory only for local fsdriver.
        Other fsdrivers (like proxy) don't take security model as a
        parameter.
    ``writeout=writeout``
        This is an optional argument. The only supported value is
@ -1827,16 +1814,6 @@ SRST
        Enables exporting 9p share as a readonly mount for guests. By
        default read-write access is given.
    ``socket=socket``
        Enables proxy filesystem driver to use passed socket file for
        communicating with virtfs-proxy-helper(1).
    ``sock_fd=sock_fd``
        Enables proxy filesystem driver to use passed socket descriptor
        for communicating with virtfs-proxy-helper(1). Usually a helper
        like libvirt will create socketpair and pass one of the fds as
        sock\_fd.
    ``fmode=fmode``
        Specifies the default mode for newly created files on the host.
        Works only with security models "mapped-xattr" and
@ -1889,18 +1866,12 @@ ERST
 DEF("virtfs", HAS_ARG, QEMU_OPTION_virtfs,
    "-virtfs local,path=path,mount_tag=tag,security_model=mapped-xattr|mapped-file|passthrough|none\n"
    "        [,id=id][,writeout=immediate][,readonly=on][,fmode=fmode][,dmode=dmode][,multidevs=remap|forbid|warn]\n"
    "-virtfs proxy,mount_tag=tag,socket=socket[,id=id][,writeout=immediate][,readonly=on]\n"
    "-virtfs proxy,mount_tag=tag,sock_fd=sock_fd[,id=id][,writeout=immediate][,readonly=on]\n"
    "-virtfs synth,mount_tag=tag[,id=id][,readonly=on]\n",
    QEMU_ARCH_ALL)
 SRST
 ``-virtfs local,path=path,mount_tag=mount_tag ,security_model=security_model[,writeout=writeout][,readonly=on] [,fmode=fmode][,dmode=dmode][,multidevs=multidevs]``
  \ 
 ``-virtfs proxy,socket=socket,mount_tag=mount_tag [,writeout=writeout][,readonly=on]``
  \ 
 ``-virtfs proxy,sock_fd=sock_fd,mount_tag=mount_tag [,writeout=writeout][,readonly=on]``
  \
 ``-virtfs synth,mount_tag=mount_tag``
    Define a new virtual filesystem device and expose it to the guest using
    a virtio-9p-device (a.k.a. 9pfs), which essentially means that a certain
@ -1917,11 +1888,6 @@ SRST
    ``local``
        Accesses to the filesystem are done by QEMU.
    ``proxy``
        Accesses to the filesystem are done by virtfs-proxy-helper(1).
        This option is deprecated (since QEMU 8.1) and will be removed in a
        future version of QEMU. Use ``local`` instead.
    ``synth``
        Synthetic filesystem, only used by QTests.
@ -1946,8 +1912,6 @@ SRST
        security model is same as passthrough except the sever won't
        report failures if it fails to set file attributes like
        ownership. Security model is mandatory only for local fsdriver.
        Other fsdrivers (like proxy) don't take security model as a
        parameter.
    ``writeout=writeout``
        This is an optional argument. The only supported value is
@ -1960,16 +1924,6 @@ SRST
        Enables exporting 9p share as a readonly mount for guests. By
        default read-write access is given.
    ``socket=socket``
        Enables proxy filesystem driver to use passed socket file for
        communicating with virtfs-proxy-helper(1). Usually a helper like
        libvirt will create socketpair and pass one of the fds as
        sock\_fd.
    ``sock_fd``
        Enables proxy filesystem driver to use passed 'sock\_fd' as the
        socket descriptor for interfacing with virtfs-proxy-helper(1).
    ``fmode=fmode``
        Specifies the default mode for newly created files on the host.
        Works only with security models "mapped-xattr" and
--- a/scripts/meson-buildoptions.
+++ b/scripts/meson-buildoptions.
--- a/scripts/meson-buildoptions.sh
+++ b/scripts/meson-buildoptions.sh
@ -208,8 +208,6 @@ meson_options_help() {
  printf "%s\n" '  vhost-vdpa      vhost-vdpa kernel backend support'
  printf "%s\n" '  virglrenderer   virgl rendering support'
  printf "%s\n" '  virtfs          virtio-9p support'
  printf "%s\n" '  virtfs-proxy-helper'
  printf "%s\n" '                  virtio-9p proxy helper support'
  printf "%s\n" '  vmdk            vmdk image format support'
  printf "%s\n" '  vmnet           vmnet.framework network backend support'
  printf "%s\n" '  vnc             VNC server'
@ -539,8 +537,6 @@ _meson_option_parse() {
    --disable-virglrenderer) printf "%s" -Dvirglrenderer=disabled ;;
    --enable-virtfs) printf "%s" -Dvirtfs=enabled ;;
    --disable-virtfs) printf "%s" -Dvirtfs=disabled ;;
    --enable-virtfs-proxy-helper) printf "%s" -Dvirtfs_proxy_helper=enabled ;;
    --disable-virtfs-proxy-helper) printf "%s" -Dvirtfs_proxy_helper=disabled ;;
    --enable-vmdk) printf "%s" -Dvmdk=enabled ;;
    --disable-vmdk) printf "%s" -Dvmdk=disabled ;;
    --enable-vmnet) printf "%s" -Dvmnet=enabled ;;