1 QEMU virtio-fs shared file system daemon
2 ========================================
7 **virtiofsd** [*OPTIONS*]
12 Share a host directory tree with a guest through a virtio-fs device. This
13 program is a vhost-user backend that implements the virtio-fs device. Each
14 virtio-fs device instance requires its own virtiofsd process.
16 This program is designed to work with QEMU's ``--device vhost-user-fs-pci``
17 but should work with any virtual machine monitor (VMM) that supports
18 vhost-user. See the Examples section below.
20 This program must be run as the root user. The program drops privileges where
21 possible during startup although it must be able to create and access files
24 * The ability to invoke syscalls is limited using seccomp(2).
25 * Linux capabilities(7) are dropped.
27 In "namespace" sandbox mode the program switches into a new file system
28 namespace and invokes pivot_root(2) to make the shared directory tree its root.
29 A new pid and net namespace is also created to isolate the process.
31 In "chroot" sandbox mode the program invokes chroot(2) to make the shared
32 directory tree its root. This mode is intended for container environments where
33 the container runtime has already set up the namespaces and the program does
34 not have permission to create namespaces itself.
36 Both sandbox modes prevent "file system escapes" due to symlinks and other file
37 system objects that might lead to files outside the shared directory.
42 .. program:: virtiofsd
44 .. option:: -h, --help
48 .. option:: -V, --version
58 Print log messages to syslog instead of stderr.
66 Enable/disable flock. The default is ``no_flock``.
69 Modify the list of capabilities allowed; CAPLIST is a colon separated
70 list of capabilities, each preceded by either + or -, e.g.
71 ''+sys_admin:-chown''.
74 Print only log messages matching LEVEL or more severe. LEVEL is one of
75 ``err``, ``warn``, ``info``, or ``debug``. The default is ``info``.
77 * posix_lock|no_posix_lock -
78 Enable/disable remote POSIX locks. The default is ``no_posix_lock``.
80 * readdirplus|no_readdirplus -
81 Enable/disable readdirplus. The default is ``readdirplus``.
83 * sandbox=namespace|chroot -
85 - namespace: Create mount, pid, and net namespaces and pivot_root(2) into
87 - chroot: chroot(2) into shared directory (use in containers).
88 The default is "namespace".
91 Share host directory tree located at PATH. This option is required.
94 I/O timeout in seconds. The default depends on cache= option.
96 * writeback|no_writeback -
97 Enable/disable writeback cache. The cache allows the FUSE client to buffer
98 and merge write requests. The default is ``no_writeback``.
101 Enable/disable extended attributes (xattr) on files and directories. The
102 default is ``no_xattr``.
104 * posix_acl|no_posix_acl -
105 Enable/disable posix acl support. Posix ACLs are disabled by default.
107 .. option:: --socket-path=PATH
109 Listen on vhost-user UNIX domain socket at PATH.
111 .. option:: --socket-group=GROUP
113 Set the vhost-user UNIX domain socket gid to GROUP.
115 .. option:: --fd=FDNUM
117 Accept connections from vhost-user UNIX domain socket file descriptor FDNUM.
118 The file descriptor must already be listening for connections.
120 .. option:: --thread-pool-size=NUM
122 Restrict the number of worker threads per request queue to NUM. The default
125 .. option:: --cache=none|auto|always
127 Select the desired trade-off between coherency and performance. ``none``
128 forbids the FUSE client from caching to achieve best coherency at the cost of
129 performance. ``auto`` acts similar to NFS with a 1 second metadata cache
130 timeout. ``always`` sets a long cache lifetime at the expense of coherency.
131 The default is ``auto``.
133 Extended attribute (xattr) mapping
134 ----------------------------------
136 By default the name of xattr's used by the client are passed through to the server
137 file system. This can be a problem where either those xattr names are used
138 by something on the server (e.g. selinux client/server confusion) or if the
139 ``virtiofsd`` is running in a container with restricted privileges where it
140 cannot access some attributes.
145 A mapping of xattr names can be made using -o xattrmap=mapping where the ``mapping``
146 string consists of a series of rules.
148 The first matching rule terminates the mapping.
149 The set of rules must include a terminating rule to match any remaining attributes
152 Each rule consists of a number of fields separated with a separator that is the
153 first non-white space character in the rule. This separator must then be used
155 White space may be added before and after each rule.
157 Using ':' as the separator a rule is of the form:
159 ``:type:scope:key:prepend:``
163 - 'client' - match 'key' against a xattr name from the client for
164 setxattr/getxattr/removexattr
165 - 'server' - match 'prepend' against a xattr name from the server
167 - 'all' - can be used to make a single rule where both the server
168 and client matches are triggered.
172 - 'prefix' - is designed to prepend and strip a prefix; the modified
173 attributes then being passed on to the client/server.
175 - 'ok' - Causes the rule set to be terminated when a match is found
176 while allowing matching xattr's through unchanged.
177 It is intended both as a way of explicitly terminating
178 the list of rules, and to allow some xattr's to skip following rules.
180 - 'bad' - If a client tries to use a name matching 'key' it's
181 denied using EPERM; when the server passes an attribute
182 name matching 'prepend' it's hidden. In many ways it's use is very like
183 'ok' as either an explicit terminator or for special handling of certain
186 - 'unsupported' - If a client tries to use a name matching 'key' it's
187 denied using ENOTSUP; when the server passes an attribute
188 name matching 'prepend' it's hidden. In many ways it's use is very like
189 'ok' as either an explicit terminator or for special handling of certain
192 **key** is a string tested as a prefix on an attribute name originating
193 on the client. It maybe empty in which case a 'client' rule
194 will always match on client names.
196 **prepend** is a string tested as a prefix on an attribute name originating
197 on the server, and used as a new prefix. It may be empty
198 in which case a 'server' rule will always match on all names from
203 ``:prefix:client:trusted.:user.virtiofs.:``
205 will match 'trusted.' attributes in client calls and prefix them before
206 passing them to the server.
208 ``:prefix:server::user.virtiofs.:``
210 will strip 'user.virtiofs.' from all server replies.
212 ``:prefix:all:trusted.:user.virtiofs.:``
214 combines the previous two cases into a single rule.
216 ``:ok:client:user.::``
218 will allow get/set xattr for 'user.' xattr's and ignore
221 ``:ok:server::security.:``
223 will pass 'securty.' xattr's in listxattr from the server
224 and ignore following rules.
228 will terminate the rule search passing any remaining attributes
231 ``:bad:server::security.:``
233 would hide 'security.' xattr's in listxattr from the server.
235 A simpler 'map' type provides a shorter syntax for the common case:
237 ``:map:key:prepend:``
239 The 'map' type adds a number of separate rules to add **prepend** as a prefix
240 to the matched **key** (or all attributes if **key** is empty).
241 There may be at most one 'map' rule and it must be the last rule in the set.
243 Note: When the 'security.capability' xattr is remapped, the daemon has to do
244 extra work to remove it during many operations, which the host kernel normally
247 Security considerations
248 ~~~~~~~~~~~~~~~~~~~~~~~
250 Operating systems typically partition the xattr namespace using
251 well defined name prefixes. Each partition may have different
252 access controls applied. For example, on Linux there are multiple
255 * ``system.*`` - access varies depending on attribute & filesystem
256 * ``security.*`` - only processes with CAP_SYS_ADMIN
257 * ``trusted.*`` - only processes with CAP_SYS_ADMIN
258 * ``user.*`` - any process granted by file permissions / ownership
260 While other OS such as FreeBSD have different name prefixes
261 and access control rules.
263 When remapping attributes on the host, it is important to
264 ensure that the remapping does not allow a guest user to
265 evade the guest access control rules.
267 Consider if ``trusted.*`` from the guest was remapped to
268 ``user.virtiofs.trusted*`` in the host. An unprivileged
269 user in a Linux guest has the ability to write to xattrs
270 under ``user.*``. Thus the user can evade the access
271 control restriction on ``trusted.*`` by instead writing
272 to ``user.virtiofs.trusted.*``.
274 As noted above, the partitions used and access controls
275 applied, will vary across guest OS, so it is not wise to
276 try to predict what the guest OS will use.
278 The simplest way to avoid an insecure configuration is
279 to remap all xattrs at once, to a given fixed prefix.
280 This is shown in example (1) below.
282 If selectively mapping only a subset of xattr prefixes,
283 then rules must be added to explicitly block direct
284 access to the target of the remapping. This is shown
285 in example (2) below.
290 1) Prefix all attributes with 'user.virtiofs.'
294 -o xattrmap=":prefix:all::user.virtiofs.::bad:all:::"
297 This uses two rules, using : as the field separator;
298 the first rule prefixes and strips 'user.virtiofs.',
299 the second rule hides any non-prefixed attributes that
302 This is equivalent to the 'map' rule:
306 -o xattrmap=":map::user.virtiofs.:"
308 2) Prefix 'trusted.' attributes, allow others through
312 "/prefix/all/trusted./user.virtiofs./
313 /bad/server//trusted./
314 /bad/client/user.virtiofs.//
318 Here there are four rules, using / as the field
319 separator, and also demonstrating that new lines can
320 be included between rules.
321 The first rule is the prefixing of 'trusted.' and
322 stripping of 'user.virtiofs.'.
323 The second rule hides unprefixed 'trusted.' attributes
325 The third rule stops a guest from explicitly setting
326 the 'user.virtiofs.' path directly to prevent access
327 control bypass on the target of the earlier prefix
329 Finally, the fourth rule lets all remaining attributes
332 This is equivalent to the 'map' rule:
336 -o xattrmap="/map/trusted./user.virtiofs./"
338 3) Hide 'security.' attributes, and allow everything else
342 "/bad/all/security./security./
345 The first rule combines what could be separate client and server
346 rules into a single 'all' rule, matching 'security.' in either
347 client arguments or lists returned from the host. This stops
348 the client seeing any 'security.' attributes on the server and
349 stops it setting any.
354 Export ``/var/lib/fs/vm001/`` on vhost-user UNIX domain socket
355 ``/var/run/vm001-vhost-fs.sock``:
359 host# virtiofsd --socket-path=/var/run/vm001-vhost-fs.sock -o source=/var/lib/fs/vm001
360 host# |qemu_system| \\
361 -chardev socket,id=char0,path=/var/run/vm001-vhost-fs.sock \\
362 -device vhost-user-fs-pci,chardev=char0,tag=myfs \\
363 -object memory-backend-memfd,id=mem,size=4G,share=on \\
364 -numa node,memdev=mem \\
366 guest# mount -t virtiofs myfs /mnt