1VIRTFS-PROXY-HELPER(1) QEMU VIRTFS-PROXY-HELPER(1)
2
3
4
6 virtfs-proxy-helper - QEMU 9p virtfs proxy filesystem helper
7
9 virtfs-proxy-helper [OPTIONS]
10
12 NOTE: The 9p 'proxy' backend is deprecated (since QEMU 8.1) and will be
13 removed, along with this daemon, in a future version of QEMU!
14
15 Pass-through security model in QEMU 9p server needs root privilege to
16 do few file operations (like chown, chmod to any mode/uid:gid). There
17 are two issues in pass-through security model:
18
19 • TOCTTOU vulnerability: Following symbolic links in the server could
20 provide access to files beyond 9p export path.
21
22 • Running QEMU with root privilege could be a security issue.
23
24 To overcome above issues, following approach is used: A new filesystem
25 type 'proxy' is introduced. Proxy FS uses chroot + socket combination
26 for securing the vulnerability known with following symbolic links.
27 Intention of adding a new filesystem type is to allow qemu to run in
28 non-root mode, but doing privileged operations using socket IO.
29
30 Proxy helper (a stand alone binary part of qemu) is invoked with root
31 privileges. Proxy helper chroots into 9p export path and creates a
32 socket pair or a named socket based on the command line parameter.
33 QEMU and proxy helper communicate using this socket. QEMU proxy fs
34 driver sends filesystem request to proxy helper and receives the re‐
35 sponse from it.
36
37 The proxy helper is designed so that it can drop root privileges except
38 for the capabilities needed for doing filesystem operations.
39
41 The following options are supported:
42
43 -h Display help and exit
44
45 -p, --path PATH
46 Path to export for proxy filesystem driver
47
48 -f, --fd SOCKET_ID
49 Use given file descriptor as socket descriptor for communicating
50 with qemu proxy fs drier. Usually a helper like libvirt will
51 create socketpair and pass one of the fds as parameter to this
52 option.
53
54 -s, --socket SOCKET_FILE
55 Creates named socket file for communicating with qemu proxy fs
56 driver
57
58 -u, --uid UID
59 uid to give access to named socket file; used in combination
60 with -g.
61
62 -g, --gid GID
63 gid to give access to named socket file; used in combination
64 with -u.
65
66 -n, --nodaemon
67 Run as a normal program. By default program will run in daemon
68 mode
69
71 M. Mohan Kumar
72
74 2023, The QEMU Project Developers
75
76
77
78
798.1.3 Nov 28, 2023 VIRTFS-PROXY-HELPER(1)