device: 0.690 kernel: 0.663 files: 0.652 permissions: 0.561 socket: 0.544 ppc: 0.524 semantic: 0.421 architecture: 0.411 network: 0.402 register: 0.387 graphic: 0.377 PID: 0.371 user-level: 0.293 performance: 0.267 risc-v: 0.229 boot: 0.226 mistranslation: 0.225 debug: 0.204 vnc: 0.195 arm: 0.190 virtual: 0.182 hypervisor: 0.150 peripherals: 0.145 x86: 0.137 VMM: 0.103 i386: 0.100 assembly: 0.088 TCG: 0.077 KVM: 0.076 local/9pfs: Too many levels of symbolic links Version: 2.9.1 The primary symptom is resolving symlink fails w/ error "too many levels of symbolic links". My analysis showed that local_readlink() uses local_open_nofollow() to open the file and then tries to read it. local_open_nofollow() then tries to open the file w/ O_NOFOLLOW, which obviously fails if the requested file is a symlink. Turned out that security_model=mapped can't cope with symlinks in the host file system. Instead, security_model=passthrough works as expected. OTOH, I'll have to check, whether this mode already provides a safe chroot, or guest can escape and damage the host system. The wiki page needs some more documentation on that: https://wiki.qemu.org/Documentation/9psetup The QEMU project is currently considering to move its bug tracking to another system. For this we need to know which bugs are still valid and which could be closed already. Thus we are setting older bugs to "Incomplete" now. If you still think this bug report here is valid, then please switch the state back to "New" within the next 60 days, otherwise this report will be marked as "Expired". Or please mark it as "Fix Released" if the problem has been solved with a newer version of QEMU already. Thank you and sorry for the inconvenience. Enrico, with security_model=mapped (a.k.a. security_model=mapped-xattr) 9p is not following symlinks on host. That's the expected behaviour. There are 2 distinct models: security_model=passthrough uses the ownership information, permissions and symlink info etc. directly from the host's file system. This model requires the qemu binary to run as high privileged user (i.e. root) though, because it needs to be able to change file ownership, permissions and so forth. For that reason this model is only appropriate for use cases where there is a certain trust to what the guest system is doing. E.g. this model is commonly used by kernel coders to build kernel/driver code on host and then test run it as guest. For untrusted guests (i.e. most cases) it is recommended to use security_model=mapped-xattr instead. In this mode all ownership information, permissions, etc. are emulated (i.e. mapped) by storing them as extended attributes on top of files on host. This way the qemu binary can run with a regular (unprivileged) user and pretend to host it would have all rights to change ownership and permissions. You can read more details about this in the 9p developer description about the 9p 'local' driver here: https://wiki.qemu.org/Documentation/9p#9p_Filesystem_Drivers [Expired for QEMU because there has been no activity for 60 days.]