KVM Filesystem (9p) Support Requires Administrator Password
Description of Issue: I'm in the process of migrating from VMWare Workstation to KVM. My usage of Tails involves occasional use of local directories on the host. With VMWare Workstation, Tails sees the HGFS share and makes the files available automatically. With KVM, the Plan 9 filesystem share requires running the mount command, which requires using the option to set an administrative password. Administrative passwords are discouraged, because it provides an avenue for malicious software to break anonymity by altering settings.
Proposed Solutions:
- Add a nopass sudoers entry for amnesia that allows for the use of
mount -t 9p
without credentials - Add a daemon that watches
/sys/bus/virtio/drivers/9pnet_virtio/virtio*/mount_tag
files, and automatically mounts them in /mnt/9p/<mount_tag>, so that Tails will automatically mount 9p filesystems without having to involve the user; a quick dash off of that concept is:
#!/bin/bash
function do_mounts() {
MOUNT_TAGS=$(cat /sys/bus/virtio/drivers/9pnet_virtio/virtio*/mount_tag)
# Allow only alpanumeric (and - or _) in mount_tags to prevent injection attacks
if grep -qP '[^a-zA-Z0-9_-]' <<< "${MOUNT_TAGS}"; then
2>1 echo "At least one mount_tag contains illegal characters; exiting"
exit 1
fi
mkdir -p /mnt/9p
MOUNTS=$(mount | grep '/mnt/9p/')
# Mount any mount_tags that aren't already mounted
for MT in ${MOUNT_TAGS}; do
MNT_DIR="/mnt/9p/${MT}"
if ! grep -q "^${MT} on ${MNT_DIR}" <<< "${MOUNTS}"; then
echo "Mounting ${MT} to ${MNT_DIR}"
mkdir -p "${MNT_DIR}"
chmod 0777 "${MNT_DIR}"
mount -t 9p -o trans=virtio,version=9p2000.L "${MT}" "${MNT_DIR}"
fi
done
# Dismount any mounts that no longer appear in the list
for MNT in $(grep -Po '(?<= on )/mnt/9p/' <<< ${MOUNTS}); do
MT=$(grep -Po '(?<=/mnt/p9/).*' <<< "${MNT}")
if ! grep -q "^${MT}" <<< "${MOUNT_TAGS}"; then
echo "Dismounting ${MNT}"
umount "${MNT}" && rmdir "${MNT}"
fi
done
}
do_mounts
if [[ "${1}" == "--daemon" ]]; then
while /bin/true ; do
inotifywait /sys/bus/virtio/drivers/9pnet_virtio/virtio*/mount_tag
do_mounts
done
do