OpenE2K/qemu-e2k
13
4
Fork 0
Code Issues 4 Pull Requests Projects 2 Releases Activity
4760cedc61
qemu-e2k/docs/tools/virtfs-proxy-helper.rst
Christian Schoenebeck 71d72ececa 9pfs: deprecate 'proxy' backend 
As recent CVE-2023-2861 (fixed by f6b0de53fb) once again showed, the 9p
'proxy' fs driver is in bad shape. Using the 'proxy' backend was already
discouraged for safety reasons before and we recommended to use the
'local' backend (preferably in conjunction with its 'mapped' security
model) instead, but now it is time to officially deprecate the 'proxy'
backend.

Signed-off-by: Christian Schoenebeck <qemu_oss@crudebyte.com>
Reviewed-by: Greg Kurz <groug@kaod.org>
Message-Id: <E1qDkmw-0007M1-8f@lizzy.crudebyte.com>
2023-07-06 11:42:08 +02:00

76 lines
2.3 KiB
ReStructuredText
Raw Blame History

QEMU 9p virtfs proxy filesystem helper
======================================
Synopsis
--------
**virtfs-proxy-helper** [*OPTIONS*]
Description
-----------
NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
removed, along with this daemon, in a future version of QEMU!
Pass-through security model in QEMU 9p server needs root privilege to do
few file operations (like chown, chmod to any mode/uid:gid). There are two
issues in pass-through security model:
- TOCTTOU vulnerability: Following symbolic links in the server could
provide access to files beyond 9p export path.
- Running QEMU with root privilege could be a security issue.
To overcome above issues, following approach is used: A new filesystem
type 'proxy' is introduced. Proxy FS uses chroot + socket combination
for securing the vulnerability known with following symbolic links.
Intention of adding a new filesystem type is to allow qemu to run
in non-root mode, but doing privileged operations using socket IO.
Proxy helper (a stand alone binary part of qemu) is invoked with
root privileges. Proxy helper chroots into 9p export path and creates
a socket pair or a named socket based on the command line parameter.
QEMU and proxy helper communicate using this socket. QEMU proxy fs
driver sends filesystem request to proxy helper and receives the
response from it.
The proxy helper is designed so that it can drop root privileges except
for the capabilities needed for doing filesystem operations.
Options
-------
The following options are supported:
.. program:: virtfs-proxy-helper
.. option:: -h
Display help and exit
.. option:: -p, --path PATH
Path to export for proxy filesystem driver
.. option:: -f, --fd SOCKET_ID
Use given file descriptor as socket descriptor for communicating with
qemu proxy fs drier. Usually a helper like libvirt will create
socketpair and pass one of the fds as parameter to this option.
.. option:: -s, --socket SOCKET_FILE
Creates named socket file for communicating with qemu proxy fs driver
.. option:: -u, --uid UID
uid to give access to named socket file; used in combination with -g.
.. option:: -g, --gid GID
gid to give access to named socket file; used in combination with -u.
.. option:: -n, --nodaemon
Run as a normal program. By default program will run in daemon mode
Reference in New Issue View Git Blame Copy Permalink