From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from eggs.gnu.org ([140.186.70.92]:59840) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Raom5-0000em-Cg for qemu-devel@nongnu.org; Wed, 14 Dec 2011 08:21:41 -0500 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1Raolv-0003uI-G5 for qemu-devel@nongnu.org; Wed, 14 Dec 2011 08:21:28 -0500 Received: from e23smtp03.au.ibm.com ([202.81.31.145]:38891) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1Raolv-0003u1-02 for qemu-devel@nongnu.org; Wed, 14 Dec 2011 08:21:23 -0500 Received: from /spool/local by e23smtp03.au.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Wed, 14 Dec 2011 13:15:39 +1000 Received: from d23av04.au.ibm.com (d23av04.au.ibm.com [9.190.235.139]) by d23relay03.au.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id pBEDKsLg5230736 for ; Thu, 15 Dec 2011 00:20:54 +1100 Received: from d23av04.au.ibm.com (loopback [127.0.0.1]) by d23av04.au.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id pBEDKswG029080 for ; Thu, 15 Dec 2011 00:20:54 +1100 From: "M. Mohan Kumar" Date: Wed, 14 Dec 2011 18:50:32 +0530 Message-Id: <1323868833-541-14-git-send-email-mohan@in.ibm.com> In-Reply-To: <1323868833-541-1-git-send-email-mohan@in.ibm.com> References: <1323868833-541-1-git-send-email-mohan@in.ibm.com> Subject: [Qemu-devel] [PATCH V5 13/14] hw/9pfs: man page for proxy helper List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: qemu-devel@nongnu.org, aneesh.kumar@linux.vnet.ibm.com, stefanha@gmail.com Cc: "M. Mohan Kumar" From: "M. Mohan Kumar" Signed-off-by: M. Mohan Kumar --- Makefile | 12 +++++++- fsdev/virtfs-proxy-helper.texi | 59 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+), 1 deletions(-) create mode 100644 fsdev/virtfs-proxy-helper.texi diff --git a/Makefile b/Makefile index 0acad52..f5b3524 100644 --- a/Makefile +++ b/Makefile @@ -38,6 +38,7 @@ LIBS+=-lz $(LIBS_TOOLS) ifdef BUILD_DOCS DOCS=qemu-doc.html qemu-tech.html qemu.1 qemu-img.1 qemu-nbd.8 QMP/qmp-commands.txt +DOCS+=fsdev/virtfs-proxy-helper.1 else DOCS= endif @@ -283,7 +284,10 @@ ifdef CONFIG_POSIX $(INSTALL_DIR) "$(DESTDIR)$(mandir)/man8" $(INSTALL_DATA) qemu-nbd.8 "$(DESTDIR)$(mandir)/man8" endif - +ifdef CONFIG_VIRTFS + $(INSTALL_DIR) "$(DESTDIR)$(mandir)/man1" + $(INSTALL_DATA) fsdev/virtfs-proxy-helper.1 "$(DESTDIR)$(mandir)/man1" +endif install-sysconfig: $(INSTALL_DIR) "$(DESTDIR)$(sysconfdir)/qemu" $(INSTALL_DATA) $(SRC_PATH)/sysconfigs/target/target-x86_64.conf "$(DESTDIR)$(sysconfdir)/qemu" @@ -367,6 +371,12 @@ qemu-img.1: qemu-img.texi qemu-img-cmds.texi pod2man --section=1 --center=" " --release=" " qemu-img.pod > $@, \ " GEN $@") +fsdev/virtfs-proxy-helper.1: fsdev/virtfs-proxy-helper.texi + $(call quiet-command, \ + perl -Ww -- $(SRC_PATH)/scripts/texi2pod.pl $< fsdev/virtfs-proxy-helper.pod && \ + pod2man --section=1 --center=" " --release=" " fsdev/virtfs-proxy-helper.pod > $@, \ + " GEN $@") + qemu-nbd.8: qemu-nbd.texi $(call quiet-command, \ perl -Ww -- $(SRC_PATH)/scripts/texi2pod.pl $< qemu-nbd.pod && \ diff --git a/fsdev/virtfs-proxy-helper.texi b/fsdev/virtfs-proxy-helper.texi new file mode 100644 index 0000000..3816382 --- /dev/null +++ b/fsdev/virtfs-proxy-helper.texi @@ -0,0 +1,59 @@ +@example +@c man begin SYNOPSIS +usage: virtfs-proxy-helper options +@c man end +@end example + +@c man begin DESCRIPTION +@table @description +Pass-through security model in QEMU 9p server needs root privilege to do +few file operations (like chown, chmod to any mode/uid:gid). There are two +issues in pass-through security model + +1) TOCTTOU vulnerability: Following symbolic links in the server could +provide access to files beyond 9p export path. + +2) Running QEMU with root privilege could be a security issue. + +To overcome above issues, following approach is used: A new filesytem +type 'proxy' is introduced. Proxy FS uses chroot + socket combination +for securing the vulnerability known with following symbolic links. +Intention of adding a new filesystem type is to allow qemu to run +in non-root mode, but doing privileged operations using socket IO. + +Proxy helper(a stand alone binary part of qemu) is invoked with +root privileges. Proxy helper chroots into 9p export path and creates +a socket pair or a named socket based on the command line parameter. +Qemu and proxy helper communicate using this socket. QEMU proxy fs +driver sends filesystem request to proxy helper and receives the +response from it. + +Proxy helper is designed so that it can drop the root privilege with +retaining capbilities needed for doing filesystem operations only. + +@end table +@c man end + +@c man begin OPTIONS +The following options are supported: +@table @option +@item -h +@findex -h +Display help and exit +@item -p|--path path +Path to export for proxy filesystem driver +@item -f|--fd socket-id +Use given file descriptor as socket descriptor for communicating with +qemu proxy fs drier. Usually a helper like libvirt will create +socketpair and pass one of the fds as parameter to -f|--fd +@item -n|--nodaemon +Run as a normal program. By default program will run in daemon mode +@end table +@c man end + +@setfilename virtfs-proxy-helper +@settitle QEMU 9p virtfs proxy filesystem helper + +@c man begin AUTHOR +M. Mohan Kumar +@c man end -- 1.7.6