60 lines
2.0 KiB
Plaintext
60 lines
2.0 KiB
Plaintext
|
@example
|
||
|
@c man begin SYNOPSIS
|
||
|
usage: virtfs-proxy-helper options
|
||
|
@c man end
|
||
|
@end example
|
||
|
|
||
|
@c man begin DESCRIPTION
|
||
|
@table @description
|
||
|
Pass-through security model in QEMU 9p server needs root privilege to do
|
||
|
few file operations (like chown, chmod to any mode/uid:gid). There are two
|
||
|
issues in pass-through security model
|
||
|
|
||
|
1) TOCTTOU vulnerability: Following symbolic links in the server could
|
||
|
provide access to files beyond 9p export path.
|
||
|
|
||
|
2) Running QEMU with root privilege could be a security issue.
|
||
|
|
||
|
To overcome above issues, following approach is used: A new filesytem
|
||
|
type 'proxy' is introduced. Proxy FS uses chroot + socket combination
|
||
|
for securing the vulnerability known with following symbolic links.
|
||
|
Intention of adding a new filesystem type is to allow qemu to run
|
||
|
in non-root mode, but doing privileged operations using socket IO.
|
||
|
|
||
|
Proxy helper(a stand alone binary part of qemu) is invoked with
|
||
|
root privileges. Proxy helper chroots into 9p export path and creates
|
||
|
a socket pair or a named socket based on the command line parameter.
|
||
|
Qemu and proxy helper communicate using this socket. QEMU proxy fs
|
||
|
driver sends filesystem request to proxy helper and receives the
|
||
|
response from it.
|
||
|
|
||
|
Proxy helper is designed so that it can drop the root privilege with
|
||
|
retaining capbilities needed for doing filesystem operations only.
|
||
|
|
||
|
@end table
|
||
|
@c man end
|
||
|
|
||
|
@c man begin OPTIONS
|
||
|
The following options are supported:
|
||
|
@table @option
|
||
|
@item -h
|
||
|
@findex -h
|
||
|
Display help and exit
|
||
|
@item -p|--path path
|
||
|
Path to export for proxy filesystem driver
|
||
|
@item -f|--fd socket-id
|
||
|
Use given file descriptor as socket descriptor for communicating with
|
||
|
qemu proxy fs drier. Usually a helper like libvirt will create
|
||
|
socketpair and pass one of the fds as parameter to -f|--fd
|
||
|
@item -n|--nodaemon
|
||
|
Run as a normal program. By default program will run in daemon mode
|
||
|
@end table
|
||
|
@c man end
|
||
|
|
||
|
@setfilename virtfs-proxy-helper
|
||
|
@settitle QEMU 9p virtfs proxy filesystem helper
|
||
|
|
||
|
@c man begin AUTHOR
|
||
|
M. Mohan Kumar
|
||
|
@c man end
|