summaryrefslogtreecommitdiffstats
path: root/docs/interop/virtfs-proxy-helper.rst
diff options
context:
space:
mode:
authorPeter Maydell2020-01-24 17:26:06 +0100
committerPeter Maydell2020-02-03 12:02:23 +0100
commit78813586b04e89639754cfdcef23802dc9f54ff4 (patch)
treea769e4396e5fcc4134965b3774bb27d5227942ed /docs/interop/virtfs-proxy-helper.rst
parentscripts/qemu-trace-stap: Convert documentation to rST (diff)
downloadqemu-78813586b04e89639754cfdcef23802dc9f54ff4.tar.gz
qemu-78813586b04e89639754cfdcef23802dc9f54ff4.tar.xz
qemu-78813586b04e89639754cfdcef23802dc9f54ff4.zip
virtfs-proxy-helper: Convert documentation to rST
The virtfs-proxy-helper documentation is currently in fsdev/qemu-trace-stap.texi in Texinfo format, which we present to the user as: * a virtfs-proxy-helper manpage * but not (unusually for QEMU) part of the HTML docs Convert the documentation to rST format that lives in the docs/ subdirectory, and present it to the user as: * a virtfs-proxy-helper manpage * part of the interop/ Sphinx manual There are minor formatting changes to suit Sphinx, but no content changes. In particular I've split the -u and -g options into each having their own description text. Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Acked-by: Greg Kurz <groug@kaod.org> Message-id: 20200124162606.8787-9-peter.maydell@linaro.org
Diffstat (limited to 'docs/interop/virtfs-proxy-helper.rst')
-rw-r--r--docs/interop/virtfs-proxy-helper.rst72
1 files changed, 72 insertions, 0 deletions
diff --git a/docs/interop/virtfs-proxy-helper.rst b/docs/interop/virtfs-proxy-helper.rst
new file mode 100644
index 0000000000..6cdeedf8e9
--- /dev/null
+++ b/docs/interop/virtfs-proxy-helper.rst
@@ -0,0 +1,72 @@
+QEMU 9p virtfs proxy filesystem helper
+======================================
+
+Synopsis
+--------
+
+**virtfs-proxy-helper** [*OPTIONS*]
+
+Description
+-----------
+
+Pass-through security model in QEMU 9p server needs root privilege to do
+few file operations (like chown, chmod to any mode/uid:gid). There are two
+issues in pass-through security model:
+
+- TOCTTOU vulnerability: Following symbolic links in the server could
+ provide access to files beyond 9p export path.
+
+- Running QEMU with root privilege could be a security issue.
+
+To overcome above issues, following approach is used: A new filesystem
+type 'proxy' is introduced. Proxy FS uses chroot + socket combination
+for securing the vulnerability known with following symbolic links.
+Intention of adding a new filesystem type is to allow qemu to run
+in non-root mode, but doing privileged operations using socket IO.
+
+Proxy helper (a stand alone binary part of qemu) is invoked with
+root privileges. Proxy helper chroots into 9p export path and creates
+a socket pair or a named socket based on the command line parameter.
+QEMU and proxy helper communicate using this socket. QEMU proxy fs
+driver sends filesystem request to proxy helper and receives the
+response from it.
+
+The proxy helper is designed so that it can drop root privileges except
+for the capabilities needed for doing filesystem operations.
+
+Options
+-------
+
+The following options are supported:
+
+.. program:: virtfs-proxy-helper
+
+.. option:: -h
+
+ Display help and exit
+
+.. option:: -p, --path PATH
+
+ Path to export for proxy filesystem driver
+
+.. option:: -f, --fd SOCKET_ID
+
+ Use given file descriptor as socket descriptor for communicating with
+ qemu proxy fs drier. Usually a helper like libvirt will create
+ socketpair and pass one of the fds as parameter to this option.
+
+.. option:: -s, --socket SOCKET_FILE
+
+ Creates named socket file for communicating with qemu proxy fs driver
+
+.. option:: -u, --uid UID
+
+ uid to give access to named socket file; used in combination with -g.
+
+.. option:: -g, --gid GID
+
+ gid to give access to named socket file; used in combination with -u.
+
+.. option:: -n, --nodaemon
+
+ Run as a normal program. By default program will run in daemon mode