One Hat Cyber Team
Your IP :
216.73.216.216
Server IP :
194.44.31.54
Server :
Linux zen.imath.kiev.ua 4.18.0-553.77.1.el8_10.x86_64 #1 SMP Fri Oct 3 14:30:23 UTC 2025 x86_64
Server Software :
Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1k
PHP Version :
5.6.40
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
usr
/
share
/
doc
/
qemu-kvm
/
tools
/
View File Name :
virtfs-proxy-helper.html
<!DOCTYPE html> <!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]--> <!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]--> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>QEMU 9p virtfs proxy filesystem helper — QEMU qemu-kvm-6.2.0-53.module+el8.10.0+2055+8eb7870b.4 documentation</title> <link rel="shortcut icon" href="../_static/qemu_32x32.png"/> <link rel="stylesheet" href="../_static/css/theme.css" type="text/css" /> <link rel="stylesheet" href="../_static/pygments.css" type="text/css" /> <link rel="index" title="Index" href="../genindex.html" /> <link rel="search" title="Search" href="../search.html" /> <link rel="next" title="QEMU virtio-fs shared file system daemon" href="virtiofsd.html" /> <link rel="prev" title="QEMU SystemTap trace tool" href="qemu-trace-stap.html" /> <script src="../_static/js/modernizr.min.js"></script> </head> <body class="wy-body-for-nav"> <div class="wy-grid-for-nav"> <nav data-toggle="wy-nav-shift" class="wy-nav-side"> <div class="wy-side-scroll"> <div class="wy-side-nav-search"> <a href="../index.html" class="icon icon-home"> QEMU <img src="../_static/qemu_128x128.png" class="logo" alt="Logo"/> </a> <div class="version"> 6.2.0 </div> <div role="search"> <form id="rtd-search-form" class="wy-form" action="../search.html" method="get"> <input type="text" name="q" placeholder="Search docs" /> <input type="hidden" name="check_keywords" value="yes" /> <input type="hidden" name="area" value="default" /> </form> </div> </div> <div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation"> <p class="caption"><span class="caption-text">Contents:</span></p> <ul class="current"> <li class="toctree-l1"><a class="reference internal" href="../about/index.html">About QEMU</a></li> <li class="toctree-l1"><a class="reference internal" href="../system/index.html">System Emulation</a></li> <li class="toctree-l1"><a class="reference internal" href="../user/index.html">User Mode Emulation</a></li> <li class="toctree-l1 current"><a class="reference internal" href="index.html">Tools</a><ul class="current"> <li class="toctree-l2"><a class="reference internal" href="qemu-img.html">QEMU disk image utility</a></li> <li class="toctree-l2"><a class="reference internal" href="qemu-storage-daemon.html">QEMU Storage Daemon</a></li> <li class="toctree-l2"><a class="reference internal" href="qemu-nbd.html">QEMU Disk Network Block Device Server</a></li> <li class="toctree-l2"><a class="reference internal" href="qemu-pr-helper.html">QEMU persistent reservation helper</a></li> <li class="toctree-l2"><a class="reference internal" href="qemu-trace-stap.html">QEMU SystemTap trace tool</a></li> <li class="toctree-l2 current"><a class="current reference internal" href="#">QEMU 9p virtfs proxy filesystem helper</a><ul> <li class="toctree-l3"><a class="reference internal" href="#synopsis">Synopsis</a></li> <li class="toctree-l3"><a class="reference internal" href="#description">Description</a></li> <li class="toctree-l3"><a class="reference internal" href="#options">Options</a></li> </ul> </li> <li class="toctree-l2"><a class="reference internal" href="virtiofsd.html">QEMU virtio-fs shared file system daemon</a></li> </ul> </li> <li class="toctree-l1"><a class="reference internal" href="../interop/index.html">System Emulation Management and Interoperability</a></li> <li class="toctree-l1"><a class="reference internal" href="../specs/index.html">System Emulation Guest Hardware Specifications</a></li> <li class="toctree-l1"><a class="reference internal" href="../devel/index.html">Developer Information</a></li> </ul> </div> </div> </nav> <section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"> <nav class="wy-nav-top" aria-label="top navigation"> <i data-toggle="wy-nav-top" class="fa fa-bars"></i> <a href="../index.html">QEMU</a> </nav> <div class="wy-nav-content"> <div class="rst-content"> <div role="navigation" aria-label="breadcrumbs navigation"> <ul class="wy-breadcrumbs"> <li><a href="../index.html">Docs</a> »</li> <li><a href="index.html">Tools</a> »</li> <li>QEMU 9p virtfs proxy filesystem helper</li> <li class="wy-breadcrumbs-aside"> <a href="https://gitlab.com/qemu-project/qemu/blob/master/docs/tools/virtfs-proxy-helper.rst" class="fa fa-gitlab"> Edit on GitLab</a> </li> </ul> <hr/> </div> <div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article"> <div itemprop="articleBody"> <div class="section" id="qemu-9p-virtfs-proxy-filesystem-helper"> <h1>QEMU 9p virtfs proxy filesystem helper<a class="headerlink" href="#qemu-9p-virtfs-proxy-filesystem-helper" title="Permalink to this headline">¶</a></h1> <div class="section" id="synopsis"> <h2>Synopsis<a class="headerlink" href="#synopsis" title="Permalink to this headline">¶</a></h2> <p><strong>virtfs-proxy-helper</strong> [<em>OPTIONS</em>]</p> </div> <div class="section" id="description"> <h2>Description<a class="headerlink" href="#description" title="Permalink to this headline">¶</a></h2> <p>Pass-through security model in QEMU 9p server needs root privilege to do few file operations (like chown, chmod to any mode/uid:gid). There are two issues in pass-through security model:</p> <ul class="simple"> <li>TOCTTOU vulnerability: Following symbolic links in the server could provide access to files beyond 9p export path.</li> <li>Running QEMU with root privilege could be a security issue.</li> </ul> <p>To overcome above issues, following approach is used: A new filesystem type ‘proxy’ is introduced. Proxy FS uses chroot + socket combination for securing the vulnerability known with following symbolic links. Intention of adding a new filesystem type is to allow qemu to run in non-root mode, but doing privileged operations using socket IO.</p> <p>Proxy helper (a stand alone binary part of qemu) is invoked with root privileges. Proxy helper chroots into 9p export path and creates a socket pair or a named socket based on the command line parameter. QEMU and proxy helper communicate using this socket. QEMU proxy fs driver sends filesystem request to proxy helper and receives the response from it.</p> <p>The proxy helper is designed so that it can drop root privileges except for the capabilities needed for doing filesystem operations.</p> </div> <div class="section" id="options"> <h2>Options<a class="headerlink" href="#options" title="Permalink to this headline">¶</a></h2> <p>The following options are supported:</p> <dl class="option"> <dt id="cmdoption-virtfs-proxy-helper-h"> <code class="descname">-h</code><code class="descclassname"></code><a class="headerlink" href="#cmdoption-virtfs-proxy-helper-h" title="Permalink to this definition">¶</a></dt> <dd><p>Display help and exit</p> </dd></dl> <dl class="option"> <dt id="cmdoption-virtfs-proxy-helper-p"> <code class="descname">-p</code><code class="descclassname"></code><code class="descclassname">, </code><code class="descname">--path</code><code class="descclassname"> PATH</code><a class="headerlink" href="#cmdoption-virtfs-proxy-helper-p" title="Permalink to this definition">¶</a></dt> <dd><p>Path to export for proxy filesystem driver</p> </dd></dl> <dl class="option"> <dt id="cmdoption-virtfs-proxy-helper-f"> <code class="descname">-f</code><code class="descclassname"></code><code class="descclassname">, </code><code class="descname">--fd</code><code class="descclassname"> SOCKET_ID</code><a class="headerlink" href="#cmdoption-virtfs-proxy-helper-f" title="Permalink to this definition">¶</a></dt> <dd><p>Use given file descriptor as socket descriptor for communicating with qemu proxy fs drier. Usually a helper like libvirt will create socketpair and pass one of the fds as parameter to this option.</p> </dd></dl> <dl class="option"> <dt id="cmdoption-virtfs-proxy-helper-s"> <code class="descname">-s</code><code class="descclassname"></code><code class="descclassname">, </code><code class="descname">--socket</code><code class="descclassname"> SOCKET_FILE</code><a class="headerlink" href="#cmdoption-virtfs-proxy-helper-s" title="Permalink to this definition">¶</a></dt> <dd><p>Creates named socket file for communicating with qemu proxy fs driver</p> </dd></dl> <dl class="option"> <dt id="cmdoption-virtfs-proxy-helper-u"> <code class="descname">-u</code><code class="descclassname"></code><code class="descclassname">, </code><code class="descname">--uid</code><code class="descclassname"> UID</code><a class="headerlink" href="#cmdoption-virtfs-proxy-helper-u" title="Permalink to this definition">¶</a></dt> <dd><p>uid to give access to named socket file; used in combination with -g.</p> </dd></dl> <dl class="option"> <dt id="cmdoption-virtfs-proxy-helper-g"> <code class="descname">-g</code><code class="descclassname"></code><code class="descclassname">, </code><code class="descname">--gid</code><code class="descclassname"> GID</code><a class="headerlink" href="#cmdoption-virtfs-proxy-helper-g" title="Permalink to this definition">¶</a></dt> <dd><p>gid to give access to named socket file; used in combination with -u.</p> </dd></dl> <dl class="option"> <dt id="cmdoption-virtfs-proxy-helper-n"> <code class="descname">-n</code><code class="descclassname"></code><code class="descclassname">, </code><code class="descname">--nodaemon</code><code class="descclassname"></code><a class="headerlink" href="#cmdoption-virtfs-proxy-helper-n" title="Permalink to this definition">¶</a></dt> <dd><p>Run as a normal program. By default program will run in daemon mode</p> </dd></dl> </div> </div> </div> </div> <footer> <div class="rst-footer-buttons" role="navigation" aria-label="footer navigation"> <a href="virtiofsd.html" class="btn btn-neutral float-right" title="QEMU virtio-fs shared file system daemon" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a> <a href="qemu-trace-stap.html" class="btn btn-neutral" title="QEMU SystemTap trace tool" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a> </div> <hr/> <div role="contentinfo"> <p> © Copyright 2021, The QEMU Project Developers. </p> </div> Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>. <!-- Empty para to force a blank line after "Built with Sphinx ..." --> <p></p> <p>This documentation is for QEMU version 6.2.0.</p> <p><a href="../about/license.html">QEMU and this manual are released under the GNU General Public License, version 2.</a></p> </footer> </div> </div> </section> </div> <script type="text/javascript"> var DOCUMENTATION_OPTIONS = { URL_ROOT:'../', VERSION:'qemu-kvm-6.2.0-53.module+el8.10.0+2055+8eb7870b.4', LANGUAGE:'None', COLLAPSE_INDEX:false, FILE_SUFFIX:'.html', HAS_SOURCE: false, SOURCELINK_SUFFIX: '.txt' }; </script> <script type="text/javascript" src="../_static/jquery.js"></script> <script type="text/javascript" src="../_static/underscore.js"></script> <script type="text/javascript" src="../_static/doctools.js"></script> <script type="text/javascript" src="../_static/js/theme.js"></script> <script type="text/javascript"> jQuery(function () { SphinxRtdTheme.Navigation.enable(true); }); </script> </body> </html>