Re: [Qemu-devel] [PATCH V2 00/12] Proxy FS driver for VirtFS

["M. Mohan Kumar" <mohan@in.ibm.com>]

Changes from previous version:

1) Communication between qemu and helper process is similar to 9p way of 
packing
elements (pdu marshaling).

M. Mohan Kumar wrote:
> Pass-through security model in QEMU 9p server needs root privilege to do
> few file operations (like chown, chmod to any mode/uid:gid).  There are two
> issues in pass-through security model
>
> 1) TOCTTOU vulnerability: Following symbolic links in the server could
> provide access to files beyond 9p export path.
>
> 2) Running QEMU with root privilege could be a security issue.
>
> To overcome above issues, following approach is used: A new filesytem
> type 'proxy' is introduced. Proxy FS uses chroot + socket combination
> for securing the vulnerability known with following symbolic links.
> Intention of adding a new filesystem type is to allow qemu to run
> in non-root mode, but doing privileged operations using socket IO.
>
> Proxy helper(a stand alone binary part of qemu) is invoked with
> root privileges. Proxy helper chroots into 9p export path and creates
> a socket pair or a named socket based on the command line parameter.
> Qemu and proxy helper communicate using this socket. QEMU proxy fs
> driver sends filesystem request to proxy helper and receives the
> response from it.
>
> Proxy helper is designed so that it can drop the root privilege but
> retaining capbilities that are needed for doing filesystem operations
> (like CAP_DAC_OVERRIDE, CAP_FOWNER etc)
>
> M. Mohan Kumar (12):
>    hw/9pfs: Move pdu_marshal/unmarshal code to a seperate file
>    hw/9pfs: Add new proxy filesystem driver
>    hw/9pfs: File system helper process for qemu 9p proxy FS
>    hw/9pfs: Open and create files
>    hw/9pfs: Create other filesystem objects
>    hw/9pfs: Add stat/readlink/statfs for proxy FS
>    hw/9pfs: File ownership and others
>    hw/9pfs: xattr interfaces in proxy filesystem driver
>    hw/9pfs: Proxy getversion
>    hw/9pfs: Documentation changes related to proxy fs
>    hw/9pfs: man page for proxy helper
>    hw/9pfs: Add support to use named socket for proxy FS
>
>   Makefile                       |   15 +-
>   Makefile.objs                  |    4 +-
>   configure                      |   19 +
>   fsdev/file-op-9p.h             |    3 +-
>   fsdev/qemu-fsdev.c             |    1 +
>   fsdev/qemu-fsdev.h             |    1 +
>   fsdev/virtfs-proxy-helper.c    |  947 +++++++++++++++++++++++++++++++++
>   fsdev/virtfs-proxy-helper.texi |   63 +++
>   fsdev/virtio-9p-marshal.c      |  338 ++++++++++++
>   fsdev/virtio-9p-marshal.h      |   87 +++
>   hw/9pfs/virtio-9p-proxy.c      | 1123 ++++++++++++++++++++++++++++++++++++++++
>   hw/9pfs/virtio-9p-proxy.h      |   80 +++
>   hw/9pfs/virtio-9p.c            |  297 +-----------
>   hw/9pfs/virtio-9p.h            |   85 +---
>   qemu-config.c                  |   13 +
>   qemu-options.hx                |   32 +-
>   vl.c                           |   10 +-
>   17 files changed, 2736 insertions(+), 382 deletions(-)
>   create mode 100644 fsdev/virtfs-proxy-helper.c
>   create mode 100644 fsdev/virtfs-proxy-helper.texi
>   create mode 100644 fsdev/virtio-9p-marshal.c
>   create mode 100644 fsdev/virtio-9p-marshal.h
>   create mode 100644 hw/9pfs/virtio-9p-proxy.c
>   create mode 100644 hw/9pfs/virtio-9p-proxy.h
>
>