virtfs-proxy-helper – QEMU 9p virtfs proxy filesystem helper
usage: virtfs-proxy-helper options
Pass-through security model in QEMU 9p server needs root privilege
to do few file operations (like chown, chmod to any mode/uid:gid).
There are two issues in pass-through security model
1) TOCTTOU vulnerability: Following symbolic links in the server
could provide access to files beyond 9p export path.
2) Running QEMU with root privilege could be a security issue.
To overcome above issues, following approach is used: A new
filesytem type ‘proxy’ is introduced. Proxy FS uses chroot + socket
combination for securing the vulnerability known with following
symbolic links. Intention of adding a new filesystem type is to
allow qemu to run in non-root mode, but doing privileged operations
using socket IO.
Proxy helper(a stand alone binary part of qemu) is invoked with
root privileges. Proxy helper chroots into 9p export path and
creates a socket pair or a named socket based on the command line
parameter. QEMU and proxy helper communicate using this socket.
QEMU proxy fs driver sends filesystem request to proxy helper and
receives the response from it.
Proxy helper is designed so that it can drop the root privilege
with retaining capbilities needed for doing filesystem operations
The following options are supported:
-h Display help and exit
Path to export for proxy filesystem driver
Use given file descriptor as socket descriptor for communicating
with qemu proxy fs drier. Usually a helper like libvirt will create
socketpair and pass one of the fds as parameter to -f|–fd
Creates named socket file for communicating with qemu proxy fs
-u|–uid uid -g|–gid gid
uid:gid combination to give access to named socket file
Run as a normal program. By default program will run in daemon mode
M. Mohan Kumar