84a87cc4cc
Add option to use named socket for communicating between proxy helper and qemu proxy FS. Access to socket can be given by using command line options -u and -g. Signed-off-by: M. Mohan Kumar <mohan@in.ibm.com> Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
64 lines
2.1 KiB
Plaintext
64 lines
2.1 KiB
Plaintext
@example
|
|
@c man begin SYNOPSIS
|
|
usage: virtfs-proxy-helper options
|
|
@c man end
|
|
@end example
|
|
|
|
@c man begin DESCRIPTION
|
|
@table @description
|
|
Pass-through security model in QEMU 9p server needs root privilege to do
|
|
few file operations (like chown, chmod to any mode/uid:gid). There are two
|
|
issues in pass-through security model
|
|
|
|
1) TOCTTOU vulnerability: Following symbolic links in the server could
|
|
provide access to files beyond 9p export path.
|
|
|
|
2) Running QEMU with root privilege could be a security issue.
|
|
|
|
To overcome above issues, following approach is used: A new filesytem
|
|
type 'proxy' is introduced. Proxy FS uses chroot + socket combination
|
|
for securing the vulnerability known with following symbolic links.
|
|
Intention of adding a new filesystem type is to allow qemu to run
|
|
in non-root mode, but doing privileged operations using socket IO.
|
|
|
|
Proxy helper(a stand alone binary part of qemu) is invoked with
|
|
root privileges. Proxy helper chroots into 9p export path and creates
|
|
a socket pair or a named socket based on the command line parameter.
|
|
Qemu and proxy helper communicate using this socket. QEMU proxy fs
|
|
driver sends filesystem request to proxy helper and receives the
|
|
response from it.
|
|
|
|
Proxy helper is designed so that it can drop the root privilege with
|
|
retaining capbilities needed for doing filesystem operations only.
|
|
|
|
@end table
|
|
@c man end
|
|
|
|
@c man begin OPTIONS
|
|
The following options are supported:
|
|
@table @option
|
|
@item -h
|
|
@findex -h
|
|
Display help and exit
|
|
@item -p|--path path
|
|
Path to export for proxy filesystem driver
|
|
@item -f|--fd socket-id
|
|
Use given file descriptor as socket descriptor for communicating with
|
|
qemu proxy fs drier. Usually a helper like libvirt will create
|
|
socketpair and pass one of the fds as parameter to -f|--fd
|
|
@item -s|--socket socket-file
|
|
Creates named socket file for communicating with qemu proxy fs driver
|
|
@item -u|--uid uid -g|--gid gid
|
|
uid:gid combination to give access to named socket file
|
|
@item -n|--nodaemon
|
|
Run as a normal program. By default program will run in daemon mode
|
|
@end table
|
|
@c man end
|
|
|
|
@setfilename virtfs-proxy-helper
|
|
@settitle QEMU 9p virtfs proxy filesystem helper
|
|
|
|
@c man begin AUTHOR
|
|
M. Mohan Kumar
|
|
@c man end
|