From: "Darrick J. Wong" <djwong@kernel.org>
To: Bernd Schubert <bernd@bsbernd.com>
Cc: bschubert@ddn.com, neal@gompa.dev, linux-fsdevel@vger.kernel.org,
joannelkoong@gmail.com, miklos@szeredi.hu,
fuse-devel@lists.linux.dev
Subject: Re: [PATCHSET v5] libfuse: run fuse servers as a contained service
Date: Sun, 26 Apr 2026 09:56:40 -0700 [thread overview]
Message-ID: <20260426165640.GK7765@frogsfrogsfrogs> (raw)
In-Reply-To: <eed525ff-8f83-4882-a5db-574d2d3a913e@bsbernd.com>
On Sun, Apr 26, 2026 at 06:35:11PM +0200, Bernd Schubert wrote:
>
>
> On 4/23/26 01:18, Darrick J. Wong wrote:
> > Hi all,
> >
> > This patchset defines the necessary communication protocols and library
> > code so that users can mount fuse servers that run in unprivileged
> > systemd service containers. That in turn allows unprivileged untrusted
> > mounts, because the worst that can happen is that a malicious image
> > crashes the fuse server and the mount dies, instead of corrupting the
> > kernel's memory.
> >
> > v5: Refactor socket IO into helpers, tighten the security checks in
> > mount_service.c, always set nosuid/nodev for unprivileged mounts,
> > use posix_spawnp in mount.fuse, restructure sample programs and hl
> > library code to avoid the need for unmounting during startup
> > v4.1: fix various cppcheck/codecheck complaints
> > v4: fix a large number of security problems that only matter when the
> > mount helper is being run as a setuid program; fix protocol
> > byteswapping problems; add CLOEXEC to all files being traded
> > back and forth; add an umount command; and strengthen mount socket
> > protocol checks.
> > v3: refactor the sample code to reduce duplication; fix all the
> > checkpatch complaints; examples actually build standalone;
> > fuservicemount handles utab now; cleaned up meson feature detection;
> > handle MS_ flags that don't translate to MOUNT_ATTR_*
> > v2: cleaned up error code handling and logging; add some example fuse
> > service; fuservicemount3 can now be a setuid program to allow
> > unprivileged userspace to fire up a contained filesystem driver.
> > This could be opening Pandora's box...
> > v1: detach from fuse-iomap series
> >
> > If you're going to start using this code, I strongly recommend pulling
> > from my git trees, which are linked below.
> >
> > With a bit of luck, this should all go splendidly.
> > Comments and questions are, as always, welcome.
> >
> > --D
> >
> > kernel git tree:
> > https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=fuse-service-container
>
> Hi Darrick,
>
> going to look for your previous pull request - kernel tree doesn't help
> me for libfuse ;)
Urrk, that wasn't helpful of me. :(
The following changes since commit ff7aa456d426d89eb19661da7b4c171153bac516:
update kernel FUSE io_uring doc URL (2026-04-20 10:34:32 +0200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/djwong/libfuse.git tags/fuse-service-container_2026-04-22
for you to fetch changes up to 4f47bd86cd84bd511afdeb59fc18994915eb13fa:
nullfs: support fuse systemd service mode (2026-04-22 16:08:25 -0700)
(Sorry for the slow reply, I'm at LinuxFest this weekend. Hopefully you
could construct the path to the 22 April version from the previous PR.)
--D
> Bernd
>
> > ---
> > Commits in this patchset:
> > * Refactor mount code / move common functions to mount_util.c
> > * mount_service: add systemd socket service mounting helper
> > * mount_service: create high level fuse helpers
> > * mount_service: use the new mount api for the mount service
> > * mount_service: update mtab after a successful mount
> > * util: hoist the fuse.conf parsing and setuid mode enforcement code
> > * util: fix checkpatch complaints in fuser_conf.[ch]
> > * mount_service: enable unprivileged users in a similar manner as fusermount
> > * mount.fuse3: integrate systemd service startup
> > * mount_service: allow installation as a setuid program
> > * example/service_ll: create a sample systemd service fuse server
> > * example/service: create a sample systemd service for a high-level fuse server
> > * nullfs: support fuse systemd service mode
> > ---
> > example/single_file.h | 191 ++
> > include/fuse.h | 34
> > include/fuse_service.h | 243 +++
> > include/fuse_service_priv.h | 161 ++
> > lib/fuse_i.h | 3
> > lib/mount_common_i.h | 22
> > lib/mount_util.h | 8
> > lib/util.h | 35
> > util/fuser_conf.h | 62 +
> > util/mount_service.h | 49 +
> > .github/workflows/install-ubuntu-dependencies.sh | 4
> > README.md | 3
> > doc/fuservicemount3.8 | 32
> > doc/meson.build | 3
> > example/meson.build | 26
> > example/null.c | 51 +
> > example/null.socket.in | 15
> > example/null@.service | 102 +
> > example/service_hl.c | 224 ++
> > example/service_hl.socket.in | 15
> > example/service_hl@.service | 102 +
> > example/service_ll.c | 313 +++
> > example/service_ll.socket.in | 15
> > example/service_ll@.service | 102 +
> > example/single_file.c | 970 ++++++++++
> > include/meson.build | 4
> > lib/fuse_service.c | 1220 +++++++++++++
> > lib/fuse_service_stub.c | 106 +
> > lib/fuse_versionscript | 18
> > lib/helper.c | 160 ++
> > lib/meson.build | 17
> > lib/mount.c | 72 +
> > lib/mount_util.c | 9
> > meson.build | 53 +
> > meson_options.txt | 9
> > test/ci-build.sh | 14
> > util/fuser_conf.c | 396 ++++
> > util/fusermount.c | 363 ----
> > util/fuservicemount.c | 65 +
> > util/install_helper.sh | 6
> > util/meson.build | 24
> > util/mount.fuse.c | 169 ++
> > util/mount_service.c | 2111 ++++++++++++++++++++++
> > 43 files changed, 7197 insertions(+), 404 deletions(-)
> > create mode 100644 example/single_file.h
> > create mode 100644 include/fuse_service.h
> > create mode 100644 include/fuse_service_priv.h
> > create mode 100644 lib/mount_common_i.h
> > create mode 100644 util/fuser_conf.h
> > create mode 100644 util/mount_service.h
> > create mode 100644 doc/fuservicemount3.8
> > create mode 100644 example/null.socket.in
> > create mode 100644 example/null@.service
> > create mode 100644 example/service_hl.c
> > create mode 100644 example/service_hl.socket.in
> > create mode 100644 example/service_hl@.service
> > create mode 100644 example/service_ll.c
> > create mode 100644 example/service_ll.socket.in
> > create mode 100644 example/service_ll@.service
> > create mode 100644 example/single_file.c
> > create mode 100644 lib/fuse_service.c
> > create mode 100644 lib/fuse_service_stub.c
> > create mode 100644 util/fuser_conf.c
> > create mode 100644 util/fuservicemount.c
> > create mode 100644 util/mount_service.c
> >
>
next prev parent reply other threads:[~2026-04-26 16:56 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 23:15 [PATCHBOMB v5] fuse/libfuse/e2fsprogs/etc: containerize ext4 for safer operation Darrick J. Wong
2026-04-22 23:18 ` [PATCHSET v5] libfuse: run fuse servers as a contained service Darrick J. Wong
2026-04-22 23:19 ` [PATCH 01/13] Refactor mount code / move common functions to mount_util.c Darrick J. Wong
2026-04-22 23:19 ` [PATCH 02/13] mount_service: add systemd socket service mounting helper Darrick J. Wong
2026-04-28 18:08 ` Darrick J. Wong
2026-04-29 15:23 ` Darrick J. Wong
2026-04-22 23:20 ` [PATCH 03/13] mount_service: create high level fuse helpers Darrick J. Wong
2026-04-22 23:20 ` [PATCH 04/13] mount_service: use the new mount api for the mount service Darrick J. Wong
2026-04-22 23:20 ` [PATCH 05/13] mount_service: update mtab after a successful mount Darrick J. Wong
2026-04-22 23:20 ` [PATCH 06/13] util: hoist the fuse.conf parsing and setuid mode enforcement code Darrick J. Wong
2026-04-26 20:42 ` Bernd Schubert
2026-04-27 14:40 ` Darrick J. Wong
2026-04-22 23:21 ` [PATCH 07/13] util: fix checkpatch complaints in fuser_conf.[ch] Darrick J. Wong
2026-04-22 23:21 ` [PATCH 08/13] mount_service: enable unprivileged users in a similar manner as fusermount Darrick J. Wong
2026-04-22 23:21 ` [PATCH 09/13] mount.fuse3: integrate systemd service startup Darrick J. Wong
2026-04-28 18:10 ` Darrick J. Wong
2026-04-22 23:21 ` [PATCH 10/13] mount_service: allow installation as a setuid program Darrick J. Wong
2026-04-22 23:22 ` [PATCH 11/13] example/service_ll: create a sample systemd service fuse server Darrick J. Wong
2026-04-26 21:28 ` Bernd Schubert
2026-04-27 14:51 ` Darrick J. Wong
2026-04-22 23:22 ` [PATCH 12/13] example/service: create a sample systemd service for a high-level " Darrick J. Wong
2026-04-26 21:04 ` Bernd Schubert
2026-04-27 15:04 ` Darrick J. Wong
2026-04-26 21:21 ` Bernd Schubert
2026-04-27 15:13 ` Darrick J. Wong
2026-04-22 23:22 ` [PATCH 13/13] nullfs: support fuse systemd service mode Darrick J. Wong
2026-04-26 16:35 ` [PATCHSET v5] libfuse: run fuse servers as a contained service Bernd Schubert
2026-04-26 16:56 ` Darrick J. Wong [this message]
2026-04-26 19:35 ` Bernd Schubert
2026-04-26 20:23 ` Bernd Schubert
2026-04-22 23:19 ` [PATCHSET v5 2/2] fuse4fs: run " Darrick J. Wong
2026-04-22 23:23 ` [PATCH 01/10] libext2fs: make it possible to extract the fd from an IO manager Darrick J. Wong
2026-04-22 23:24 ` [PATCH 02/10] libext2fs: fix checking for valid fds in mmp.c Darrick J. Wong
2026-04-22 23:24 ` [PATCH 03/10] unix_io: allow passing /dev/fd/XXX paths to the unixfd IO manager Darrick J. Wong
2026-04-22 23:24 ` [PATCH 04/10] libext2fs: fix MMP code to work with " Darrick J. Wong
2026-04-22 23:24 ` [PATCH 05/10] libext2fs: bump libfuse API version to 3.19 Darrick J. Wong
2026-04-22 23:25 ` [PATCH 06/10] fuse4fs: hoist some code out of fuse4fs_main Darrick J. Wong
2026-04-22 23:25 ` [PATCH 07/10] fuse4fs: enable safe service mode Darrick J. Wong
2026-04-22 23:25 ` [PATCH 08/10] fuse4fs: set proc title when in fuse " Darrick J. Wong
2026-04-22 23:25 ` [PATCH 09/10] fuse4fs: make MMP work correctly in safe " Darrick J. Wong
2026-04-22 23:26 ` [PATCH 10/10] debian: update packaging for fuse4fs service Darrick J. Wong
2026-04-22 23:29 ` [RFC PATCH 1/4] fusefatfs: enable fuse systemd service mode Darrick J. Wong
2026-04-22 23:30 ` [RFC PATCH 2/4] exfat: " Darrick J. Wong
2026-04-22 23:32 ` [RFC PATCH 3/4] fuseiso: enable " Darrick J. Wong
2026-04-22 23:32 ` [RFC PATCH 4/4] httpdirfs: enable fuse " Darrick J. Wong
2026-04-23 8:44 ` [PATCHBOMB v5] fuse/libfuse/e2fsprogs/etc: containerize ext4 for safer operation Amir Goldstein
2026-04-23 14:50 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260426165640.GK7765@frogsfrogsfrogs \
--to=djwong@kernel.org \
--cc=bernd@bsbernd.com \
--cc=bschubert@ddn.com \
--cc=fuse-devel@lists.linux.dev \
--cc=joannelkoong@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=neal@gompa.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox