Turned out that security_model=mapped can't cope with symlinks in the host file system.
Instead, security_model=passthrough works as expected. OTOH, I'll have to check, whether this mode already provides a safe chroot, or guest can escape and damage the host system. The wiki page needs some more documentation on that: https://wiki.qemu.org/Documentation/9psetup -- You received this bug notification because you are a member of qemu- devel-ml, which is subscribed to QEMU. https://bugs.launchpad.net/bugs/1785902 Title: local/9pfs: Too many levels of symbolic links Status in QEMU: New Bug description: Version: 2.9.1 The primary symptom is resolving symlink fails w/ error "too many levels of symbolic links". My analysis showed that local_readlink() uses local_open_nofollow() to open the file and then tries to read it. local_open_nofollow() then tries to open the file w/ O_NOFOLLOW, which obviously fails if the requested file is a symlink. To manage notifications about this bug go to: https://bugs.launchpad.net/qemu/+bug/1785902/+subscriptions