diff --git a/Makefile b/Makefile index c665b7243255ed0f912291d37a5d556a99f59a26..9ce8768ce89069499da71791620904169dbb4cc3 100644 --- a/Makefile +++ b/Makefile @@ -38,6 +38,7 @@ LIBS+=-lz $(LIBS_TOOLS) ifdef BUILD_DOCS DOCS=qemu-doc.html qemu-tech.html qemu.1 qemu-img.1 qemu-nbd.8 QMP/qmp-commands.txt +DOCS+=fsdev/virtfs-proxy-helper.1 else DOCS= endif @@ -289,7 +290,10 @@ ifdef CONFIG_POSIX $(INSTALL_DIR) "$(DESTDIR)$(mandir)/man8" $(INSTALL_DATA) qemu-nbd.8 "$(DESTDIR)$(mandir)/man8" endif - +ifdef CONFIG_VIRTFS + $(INSTALL_DIR) "$(DESTDIR)$(mandir)/man1" + $(INSTALL_DATA) fsdev/virtfs-proxy-helper.1 "$(DESTDIR)$(mandir)/man1" +endif install-sysconfig: $(INSTALL_DIR) "$(DESTDIR)$(sysconfdir)/qemu" $(INSTALL_DATA) $(SRC_PATH)/sysconfigs/target/target-x86_64.conf "$(DESTDIR)$(sysconfdir)/qemu" @@ -373,6 +377,12 @@ qemu-img.1: qemu-img.texi qemu-img-cmds.texi pod2man --section=1 --center=" " --release=" " qemu-img.pod > $@, \ " GEN $@") +fsdev/virtfs-proxy-helper.1: fsdev/virtfs-proxy-helper.texi + $(call quiet-command, \ + perl -Ww -- $(SRC_PATH)/scripts/texi2pod.pl $< fsdev/virtfs-proxy-helper.pod && \ + pod2man --section=1 --center=" " --release=" " fsdev/virtfs-proxy-helper.pod > $@, \ + " GEN $@") + qemu-nbd.8: qemu-nbd.texi $(call quiet-command, \ perl -Ww -- $(SRC_PATH)/scripts/texi2pod.pl $< qemu-nbd.pod && \ diff --git a/fsdev/virtfs-proxy-helper.texi b/fsdev/virtfs-proxy-helper.texi new file mode 100644 index 0000000000000000000000000000000000000000..3816382bb9501cd56c230221e9ed1435e5853c07 --- /dev/null +++ b/fsdev/virtfs-proxy-helper.texi @@ -0,0 +1,59 @@ +@example +@c man begin SYNOPSIS +usage: virtfs-proxy-helper options +@c man end +@end example + +@c man begin DESCRIPTION +@table @description +Pass-through security model in QEMU 9p server needs root privilege to do +few file operations (like chown, chmod to any mode/uid:gid). There are two +issues in pass-through security model + +1) TOCTTOU vulnerability: Following symbolic links in the server could +provide access to files beyond 9p export path. + +2) Running QEMU with root privilege could be a security issue. + +To overcome above issues, following approach is used: A new filesytem +type 'proxy' is introduced. Proxy FS uses chroot + socket combination +for securing the vulnerability known with following symbolic links. +Intention of adding a new filesystem type is to allow qemu to run +in non-root mode, but doing privileged operations using socket IO. + +Proxy helper(a stand alone binary part of qemu) is invoked with +root privileges. Proxy helper chroots into 9p export path and creates +a socket pair or a named socket based on the command line parameter. +Qemu and proxy helper communicate using this socket. QEMU proxy fs +driver sends filesystem request to proxy helper and receives the +response from it. + +Proxy helper is designed so that it can drop the root privilege with +retaining capbilities needed for doing filesystem operations only. + +@end table +@c man end + +@c man begin OPTIONS +The following options are supported: +@table @option +@item -h +@findex -h +Display help and exit +@item -p|--path path +Path to export for proxy filesystem driver +@item -f|--fd socket-id +Use given file descriptor as socket descriptor for communicating with +qemu proxy fs drier. Usually a helper like libvirt will create +socketpair and pass one of the fds as parameter to -f|--fd +@item -n|--nodaemon +Run as a normal program. By default program will run in daemon mode +@end table +@c man end + +@setfilename virtfs-proxy-helper +@settitle QEMU 9p virtfs proxy filesystem helper + +@c man begin AUTHOR +M. Mohan Kumar +@c man end