Re: [PATCH 17/17] nullfs: support fuse systemd service mode

["Darrick J. Wong" <djwong@kernel.org>]

On Thu, Mar 26, 2026 at 06:29:12PM -0700, Darrick J. Wong wrote:
> From: Darrick J. Wong <djwong@kernel.org>
> 
> This is the only example fuse server that exports a regular file instead
> of a directory tree.  Port it to be usable as a systemd fuse service so
> that we can test that capability.
> 
> Signed-off-by: Darrick J. Wong <djwong@kernel.org>
> ---
>  example/meson.build        |    6 +++
>  example/null.c             |   33 +++++++++++++-
>  example/nullfile.socket.in |   15 ++++++
>  example/nullfile@.service  |  102 ++++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 154 insertions(+), 2 deletions(-)
>  create mode 100644 example/nullfile.socket.in
>  create mode 100644 example/nullfile@.service
> 
> 
> diff --git a/example/meson.build b/example/meson.build
> index 0a7cc3dbf31da4..c08a81747e68ae 100644
> --- a/example/meson.build
> +++ b/example/meson.build
> @@ -10,6 +10,12 @@ if not platform.endswith('bsd') and platform != 'dragonfly'
>      # support mounting files, This is enforced in vfs_domount_first()
>      # with the v_type != VDIR check.
>      examples += [ 'null' ]
> +
> +    if platform.endswith('linux')
> +        configure_file(input: 'nullfile.socket.in',
> +                       output: 'nullfile.socket',
> +                       configuration: private_cfg)
> +    endif
>  endif
>  
>  single_file_examples = [ 'hello_ll' ]
> diff --git a/example/null.c b/example/null.c
> index ec41def40ed5c5..3e7e43f722a432 100644
> --- a/example/null.c
> +++ b/example/null.c
> @@ -17,15 +17,24 @@
>   *
>   *     gcc -Wall null.c `pkg-config fuse3 --cflags --libs` -o null
>   *
> + * Change the ExecStart line in nullfile@.service:
> + *
> + *     ExecStart=/path/to/nullfile
> + *
> + * to point to the actual path of the nullfile binary.
> + *
> + * Finally, install the nullfile@.service and nullfile.socket files to the
> + * systemd service directory, usually /run/systemd/system.

Ok last rAmblIng email for now -- I've fixed the socket and service
name to be consistent with the server name, like it is for the other two
examples.  Apparently Codex is better at noticing those details than I
am.

I also dropped the hello_ll.c changes because the service stuff more or
less only works on Linux.  Nobody's porting systemd to BSD and there are
no inetd clones that support AF_UNIX, so that's a huge barrier to any of
it working anywhere else.

(I wouldn't be opposed to someone contributing support, but I'm not a
BSD/Windows/Devuan user)

--D

> + *
>   * ## Source code ##
>   * \include passthrough_fh.c
>   */
>  
> -
> -#define FUSE_USE_VERSION 31
> +#define FUSE_USE_VERSION FUSE_MAKE_VERSION(3, 19)
>  
>  #include <fuse.h>
>  #include <fuse_lowlevel.h>
> +#include <fuse_service.h>
>  #include <stdio.h>
>  #include <stdlib.h>
>  #include <string.h>
> @@ -117,6 +126,26 @@ int main(int argc, char *argv[])
>  	struct fuse_args args = FUSE_ARGS_INIT(argc, argv);
>  	struct fuse_cmdline_opts opts;
>  	struct stat stbuf;
> +	struct fuse_service *service = NULL;
> +	int ret;
> +
> +	if (fuse_service_accept(&service) != 0)
> +		return 1;
> +
> +	if (fuse_service_accepted(service)) {
> +		if (fuse_service_append_args(service, &args) != 0)
> +			return 1;
> +		if (fuse_service_finish_file_requests(service) != 0)
> +			return 1;
> +
> +		fuse_service_expect_mount_mode(service, S_IFREG);
> +
> +		ret = fuse_service_main(service, args.argc, args.argv,
> +					&null_oper, NULL);
> +
> +		fuse_opt_free_args(&args);
> +		return fuse_service_exit(ret);
> +	}
>  
>  	if (fuse_parse_cmdline(&args, &opts) != 0)
>  		return 1;
> diff --git a/example/nullfile.socket.in b/example/nullfile.socket.in
> new file mode 100644
> index 00000000000000..23e57a25f2eb93
> --- /dev/null
> +++ b/example/nullfile.socket.in
> @@ -0,0 +1,15 @@
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +#
> +# Copyright (C) 2026 Oracle.  All Rights Reserved.
> +# Author: Darrick J. Wong <djwong@kernel.org>
> +[Unit]
> +Description=Socket for nullfile Service
> +
> +[Socket]
> +ListenSequentialPacket=@FUSE_SERVICE_SOCKET_DIR_RAW@/nullfile
> +Accept=yes
> +SocketMode=0220
> +RemoveOnStop=yes
> +
> +[Install]
> +WantedBy=sockets.target
> diff --git a/example/nullfile@.service b/example/nullfile@.service
> new file mode 100644
> index 00000000000000..665f8d4226ff49
> --- /dev/null
> +++ b/example/nullfile@.service
> @@ -0,0 +1,102 @@
> +# SPDX-License-Identifier: GPL-2.0-or-later
> +#
> +# Copyright (C) 2026 Oracle.  All Rights Reserved.
> +# Author: Darrick J. Wong <djwong@kernel.org>
> +[Unit]
> +Description=nullfile Sample Fuse Service
> +
> +# Don't leave failed units behind, systemd does not clean them up!
> +CollectMode=inactive-or-failed
> +
> +[Service]
> +Type=exec
> +ExecStart=/path/to/null
> +
> +# Try to capture core dumps
> +LimitCORE=infinity
> +
> +SyslogIdentifier=%N
> +
> +# No realtime CPU scheduling
> +RestrictRealtime=true
> +
> +# Don't let us see anything in the regular system, and don't run as root
> +DynamicUser=true
> +ProtectSystem=strict
> +ProtectHome=true
> +PrivateTmp=true
> +PrivateDevices=true
> +PrivateUsers=true
> +
> +# No network access
> +PrivateNetwork=true
> +ProtectHostname=true
> +RestrictAddressFamilies=none
> +IPAddressDeny=any
> +
> +# Don't let the program mess with the kernel configuration at all
> +ProtectKernelLogs=true
> +ProtectKernelModules=true
> +ProtectKernelTunables=true
> +ProtectControlGroups=true
> +ProtectProc=invisible
> +RestrictNamespaces=true
> +RestrictFileSystems=
> +
> +# Hide everything in /proc, even /proc/mounts
> +ProcSubset=pid
> +
> +# Only allow the default personality Linux
> +LockPersonality=true
> +
> +# No writable memory pages
> +MemoryDenyWriteExecute=true
> +
> +# Don't let our mounts leak out to the host
> +PrivateMounts=true
> +
> +# Restrict system calls to the native arch and only enough to get things going
> +SystemCallArchitectures=native
> +SystemCallFilter=@system-service
> +SystemCallFilter=~@privileged
> +SystemCallFilter=~@resources
> +
> +SystemCallFilter=~@clock
> +SystemCallFilter=~@cpu-emulation
> +SystemCallFilter=~@debug
> +SystemCallFilter=~@module
> +SystemCallFilter=~@reboot
> +SystemCallFilter=~@swap
> +
> +SystemCallFilter=~@mount
> +
> +# libfuse io_uring wants to pin cores and memory
> +SystemCallFilter=mbind
> +SystemCallFilter=sched_setaffinity
> +
> +# Leave a breadcrumb if we get whacked by the system call filter
> +SystemCallErrorNumber=EL3RST
> +
> +# Log to the kernel dmesg, just like an in-kernel filesystem driver
> +StandardOutput=append:/dev/ttyprintk
> +StandardError=append:/dev/ttyprintk
> +
> +# Run with no capabilities at all
> +CapabilityBoundingSet=
> +AmbientCapabilities=
> +NoNewPrivileges=true
> +
> +# We don't create files
> +UMask=7777
> +
> +# No access to hardware /dev files at all
> +ProtectClock=true
> +DevicePolicy=closed
> +
> +# Don't mess with set[ug]id anything.
> +RestrictSUIDSGID=true
> +
> +# Don't let OOM kills of processes in this containment group kill the whole
> +# service, because we don't want filesystem drivers to go down.
> +OOMPolicy=continue
> +OOMScoreAdjust=-1000
> 
>