[libvirt] [RFC] Adding new filesystem 'proxy' to 9p
M. Mohan Kumar
mohan at in.ibm.com
Wed Sep 28 14:19:34 UTC 2011
Pass-through security model in QEMU 9p server needs root privilege to do few
file operations (like chown, chmod to any mode/uid:gid). There are two issues
in pass-through security model
1) TOCTTOU vulnerability: Following symbolic links in the server could
provide access to files beyond 9p export path.
2) When libvirt is configured to run qemu as non-root user (for example, if
qemu is configured to run as normal user 'qemu'), running file operations on
pass-through security model would fail because it needs root privileges.
To overcome above issues, following approach is suggested: A new filesytem
type 'proxy' is introduced. Proxy FS uses chroot + socket combination for
securing the vulnerability known with following symbolic links. Intention of
adding a new filesystem type is to allow qemu to run in non-root mode, but
doing privileged operations using socket IO.
A new binary (known as proxy helper) will be provided as part of qemu. Proxy
helper will chroot into 9p export path and create a socket pair or a named
socket based on the command line parameter. Qemu and proxy helper will
communicate using this socket.
We need following changes in the libvirt code to accomodate new 'proxy'
If qemu 9p server is configured to use 'proxy' FS, libvirt will do
* Create a socket pair
* invoke proxy_helper binary with one of the socket id from the pair as
command line parameters to it with root privilege
* invoke qemu with one of socket id from the pair as paramter to qemu virtfs
after dropping to the configured user privilege.
ie, libvirt will invoke proxy_helper as:
proxy_helper -i <socket_fd_from_socket_pair> -p <9p-path-to-export>
and qemu will be invoked with following virtfs parameter:
People who want to use proxy_helper without libvirt can use following
$ proxy_helper -s </socket/path> -p <9p-path-to-export>
With following qemu fsdev parameter:
M. Mohan Kumar
More information about the libvir-list