78813586b0
The virtfs-proxy-helper documentation is currently in fsdev/qemu-trace-stap.texi in Texinfo format, which we present to the user as: * a virtfs-proxy-helper manpage * but not (unusually for QEMU) part of the HTML docs Convert the documentation to rST format that lives in the docs/ subdirectory, and present it to the user as: * a virtfs-proxy-helper manpage * part of the interop/ Sphinx manual There are minor formatting changes to suit Sphinx, but no content changes. In particular I've split the -u and -g options into each having their own description text. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Greg Kurz <groug@kaod.org> Message-id: 20200124162606.8787-9-peter.maydell@linaro.org
73 lines
2.2 KiB
ReStructuredText
73 lines
2.2 KiB
ReStructuredText
QEMU 9p virtfs proxy filesystem helper
|
|
======================================
|
|
|
|
Synopsis
|
|
--------
|
|
|
|
**virtfs-proxy-helper** [*OPTIONS*]
|
|
|
|
Description
|
|
-----------
|
|
|
|
Pass-through security model in QEMU 9p server needs root privilege to do
|
|
few file operations (like chown, chmod to any mode/uid:gid). There are two
|
|
issues in pass-through security model:
|
|
|
|
- TOCTTOU vulnerability: Following symbolic links in the server could
|
|
provide access to files beyond 9p export path.
|
|
|
|
- Running QEMU with root privilege could be a security issue.
|
|
|
|
To overcome above issues, following approach is used: A new filesystem
|
|
type 'proxy' is introduced. Proxy FS uses chroot + socket combination
|
|
for securing the vulnerability known with following symbolic links.
|
|
Intention of adding a new filesystem type is to allow qemu to run
|
|
in non-root mode, but doing privileged operations using socket IO.
|
|
|
|
Proxy helper (a stand alone binary part of qemu) is invoked with
|
|
root privileges. Proxy helper chroots into 9p export path and creates
|
|
a socket pair or a named socket based on the command line parameter.
|
|
QEMU and proxy helper communicate using this socket. QEMU proxy fs
|
|
driver sends filesystem request to proxy helper and receives the
|
|
response from it.
|
|
|
|
The proxy helper is designed so that it can drop root privileges except
|
|
for the capabilities needed for doing filesystem operations.
|
|
|
|
Options
|
|
-------
|
|
|
|
The following options are supported:
|
|
|
|
.. program:: virtfs-proxy-helper
|
|
|
|
.. option:: -h
|
|
|
|
Display help and exit
|
|
|
|
.. option:: -p, --path PATH
|
|
|
|
Path to export for proxy filesystem driver
|
|
|
|
.. option:: -f, --fd SOCKET_ID
|
|
|
|
Use given file descriptor as socket descriptor for communicating with
|
|
qemu proxy fs drier. Usually a helper like libvirt will create
|
|
socketpair and pass one of the fds as parameter to this option.
|
|
|
|
.. option:: -s, --socket SOCKET_FILE
|
|
|
|
Creates named socket file for communicating with qemu proxy fs driver
|
|
|
|
.. option:: -u, --uid UID
|
|
|
|
uid to give access to named socket file; used in combination with -g.
|
|
|
|
.. option:: -g, --gid GID
|
|
|
|
gid to give access to named socket file; used in combination with -u.
|
|
|
|
.. option:: -n, --nodaemon
|
|
|
|
Run as a normal program. By default program will run in daemon mode
|