.\" Automatically generated by Pod::Man 2.28 (Pod::Simple 3.28)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" Set up some character translations and predefined strings.  \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
.\" double quote, and \*(R" will give a right double quote.  \*(C+ will
.\" give a nicer C++.  Capital omega is used to do unbreakable dashes and
.\" therefore won't be available.  \*(C` and \*(C' expand to `' in nroff,
.\" nothing in troff, for use with C<>.
.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
.    ds -- \(*W-
.    ds PI pi
.    if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
.    if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\"  diablo 12 pitch
.    ds L" ""
.    ds R" ""
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds -- \|\(em\|
.    ds PI \(*p
.    ds L" ``
.    ds R" ''
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{
.    if \nF \{
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "VIRTFS-PROXY-HELPER 1"
.TH VIRTFS-PROXY-HELPER 1 "2017-03-06" " " " "
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH "NAME"
virtfs\-proxy\-helper \- QEMU 9p virtfs proxy filesystem helper
.SH "SYNOPSIS"
.IX Header "SYNOPSIS"
\&\fBvirtfs-proxy-helper\fR \fIoptions\fR
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
.RS 4
Pass-through security model in \s-1QEMU\s0 9p server needs root privilege to do
few file operations (like chown, chmod to any mode/uid:gid).  There are two
issues in pass-through security model
.Sp
1) \s-1TOCTTOU\s0 vulnerability: Following symbolic links in the server could
provide access to files beyond 9p export path.
.Sp
2) Running \s-1QEMU\s0 with root privilege could be a security issue.
.Sp
To overcome above issues, following approach is used: A new filesystem
type 'proxy' is introduced. Proxy \s-1FS\s0 uses chroot + socket combination
for securing the vulnerability known with following symbolic links.
Intention of adding a new filesystem type is to allow qemu to run
in non-root mode, but doing privileged operations using socket \s-1IO.\s0
.Sp
Proxy helper(a stand alone binary part of qemu) is invoked with
root privileges. Proxy helper chroots into 9p export path and creates
a socket pair or a named socket based on the command line parameter.
\&\s-1QEMU\s0 and proxy helper communicate using this socket. \s-1QEMU\s0 proxy fs
driver sends filesystem request to proxy helper and receives the
response from it.
.Sp
The proxy helper is designed so that it can drop root privileges except
for the capabilities needed for doing filesystem operations.
.RE
.SH "OPTIONS"
.IX Header "OPTIONS"
The following options are supported:
.IP "\fB\-h\fR" 4
.IX Item "-h"
Display help and exit
.IP "\fB\-p|\-\-path path\fR" 4
.IX Item "-p|--path path"
Path to export for proxy filesystem driver
.IP "\fB\-f|\-\-fd socket-id\fR" 4
.IX Item "-f|--fd socket-id"
Use given file descriptor as socket descriptor for communicating with
qemu proxy fs drier. Usually a helper like libvirt will create
socketpair and pass one of the fds as parameter to \-f|\-\-fd
.IP "\fB\-s|\-\-socket socket-file\fR" 4
.IX Item "-s|--socket socket-file"
Creates named socket file for communicating with qemu proxy fs driver
.IP "\fB\-u|\-\-uid uid \-g|\-\-gid gid\fR" 4
.IX Item "-u|--uid uid -g|--gid gid"
uid:gid combination to give access to named socket file
.IP "\fB\-n|\-\-nodaemon\fR" 4
.IX Item "-n|--nodaemon"
Run as a normal program. By default program will run in daemon mode
.SH "AUTHOR"
.IX Header "AUTHOR"
M. Mohan Kumar