diff options
| author |   RajithaY <rajithax.yerrumsetty@intel.com> | 2017-04-25 03:31:15 -0700 |
|---|---|---|
| committer | Rajitha Yerrumchetty <rajithax.yerrumsetty@intel.com> | 2017-05-22 06:48:08 +0000 |
| commit | bb756eebdac6fd24e8919e2c43f7d2c8c4091f59 (patch) | |
| tree | ca11e03542edf2d8f631efeca5e1626d211107e3 /qemu/fsdev/virtfs-proxy-helper.texi | |
| parent | a14b48d18a9ed03ec191cf16b162206998a895ce (diff) | |
Adding qemu as a submodule of KVMFORNFV
This Patch includes the changes to add qemu as a submodule to
kvmfornfv repo and make use of the updated latest qemu for the
execution of all testcase
Change-Id: I1280af507a857675c7f81d30c95255635667bdd7
Signed-off-by:RajithaY<rajithax.yerrumsetty@intel.com>
Diffstat (limited to 'qemu/fsdev/virtfs-proxy-helper.texi')
| -rw-r--r-- | qemu/fsdev/virtfs-proxy-helper.texi | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/qemu/fsdev/virtfs-proxy-helper.texi b/qemu/fsdev/virtfs-proxy-helper.texi deleted file mode 100644 index 6eb2d5096..000000000 --- a/qemu/fsdev/virtfs-proxy-helper.texi +++ /dev/null @@ -1,63 +0,0 @@ -@example -@c man begin SYNOPSIS -@command{virtfs-proxy-helper} @var{options} -@c man end -@end example - -@c man begin DESCRIPTION -@table @description -Pass-through security model in QEMU 9p server needs root privilege to do -few file operations (like chown, chmod to any mode/uid:gid). There are two -issues in pass-through security model - -1) TOCTTOU vulnerability: Following symbolic links in the server could -provide access to files beyond 9p export path. - -2) Running QEMU with root privilege could be a security issue. - -To overcome above issues, following approach is used: A new filesytem -type 'proxy' is introduced. Proxy FS uses chroot + socket combination -for securing the vulnerability known with following symbolic links. -Intention of adding a new filesystem type is to allow qemu to run -in non-root mode, but doing privileged operations using socket IO. - -Proxy helper(a stand alone binary part of qemu) is invoked with -root privileges. Proxy helper chroots into 9p export path and creates -a socket pair or a named socket based on the command line parameter. -QEMU and proxy helper communicate using this socket. QEMU proxy fs -driver sends filesystem request to proxy helper and receives the -response from it. - -The proxy helper is designed so that it can drop root privileges except -for the capabilities needed for doing filesystem operations. - -@end table -@c man end - -@c man begin OPTIONS -The following options are supported: -@table @option -@item -h -@findex -h -Display help and exit -@item -p|--path path -Path to export for proxy filesystem driver -@item -f|--fd socket-id -Use given file descriptor as socket descriptor for communicating with -qemu proxy fs drier. Usually a helper like libvirt will create -socketpair and pass one of the fds as parameter to -f|--fd -@item -s|--socket socket-file -Creates named socket file for communicating with qemu proxy fs driver -@item -u|--uid uid -g|--gid gid -uid:gid combination to give access to named socket file -@item -n|--nodaemon -Run as a normal program. By default program will run in daemon mode -@end table -@c man end - -@setfilename virtfs-proxy-helper -@settitle QEMU 9p virtfs proxy filesystem helper - -@c man begin AUTHOR -M. Mohan Kumar -@c man end |