b8d8e8fde3
There was a 'capbilities' typo in this man page. This commit reformulates the sentence the typo was in to make it easier to grasp. This is based on a suggestion from Eric Blake. Signed-off-by: Christophe Fergeau <cfergeau@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
64 lines
2.1 KiB
Plaintext
64 lines
2.1 KiB
Plaintext
@example
|
|
@c man begin SYNOPSIS
|
|
@command{virtfs-proxy-helper} @var{options}
|
|
@c man end
|
|
@end example
|
|
|
|
@c man begin DESCRIPTION
|
|
@table @description
|
|
Pass-through security model in QEMU 9p server needs root privilege to do
|
|
few file operations (like chown, chmod to any mode/uid:gid). There are two
|
|
issues in pass-through security model
|
|
|
|
1) TOCTTOU vulnerability: Following symbolic links in the server could
|
|
provide access to files beyond 9p export path.
|
|
|
|
2) Running QEMU with root privilege could be a security issue.
|
|
|
|
To overcome above issues, following approach is used: A new filesytem
|
|
type 'proxy' is introduced. Proxy FS uses chroot + socket combination
|
|
for securing the vulnerability known with following symbolic links.
|
|
Intention of adding a new filesystem type is to allow qemu to run
|
|
in non-root mode, but doing privileged operations using socket IO.
|
|
|
|
Proxy helper(a stand alone binary part of qemu) is invoked with
|
|
root privileges. Proxy helper chroots into 9p export path and creates
|
|
a socket pair or a named socket based on the command line parameter.
|
|
QEMU and proxy helper communicate using this socket. QEMU proxy fs
|
|
driver sends filesystem request to proxy helper and receives the
|
|
response from it.
|
|
|
|
The proxy helper is designed so that it can drop root privileges except
|
|
for the capabilities needed for doing filesystem operations.
|
|
|
|
@end table
|
|
@c man end
|
|
|
|
@c man begin OPTIONS
|
|
The following options are supported:
|
|
@table @option
|
|
@item -h
|
|
@findex -h
|
|
Display help and exit
|
|
@item -p|--path path
|
|
Path to export for proxy filesystem driver
|
|
@item -f|--fd socket-id
|
|
Use given file descriptor as socket descriptor for communicating with
|
|
qemu proxy fs drier. Usually a helper like libvirt will create
|
|
socketpair and pass one of the fds as parameter to -f|--fd
|
|
@item -s|--socket socket-file
|
|
Creates named socket file for communicating with qemu proxy fs driver
|
|
@item -u|--uid uid -g|--gid gid
|
|
uid:gid combination to give access to named socket file
|
|
@item -n|--nodaemon
|
|
Run as a normal program. By default program will run in daemon mode
|
|
@end table
|
|
@c man end
|
|
|
|
@setfilename virtfs-proxy-helper
|
|
@settitle QEMU 9p virtfs proxy filesystem helper
|
|
|
|
@c man begin AUTHOR
|
|
M. Mohan Kumar
|
|
@c man end
|