Re: [PATCHSET v5] libfuse: run fuse servers as a contained service

[Bernd Schubert <bernd@bsbernd.com>]

On 4/26/26 18:56, Darrick J. Wong wrote:
> On Sun, Apr 26, 2026 at 06:35:11PM +0200, Bernd Schubert wrote:
>>
>>
>> On 4/23/26 01:18, Darrick J. Wong wrote:
>>> Hi all,
>>>
>>> This patchset defines the necessary communication protocols and library
>>> code so that users can mount fuse servers that run in unprivileged
>>> systemd service containers.  That in turn allows unprivileged untrusted
>>> mounts, because the worst that can happen is that a malicious image
>>> crashes the fuse server and the mount dies, instead of corrupting the
>>> kernel's memory.
>>>
>>> v5: Refactor socket IO into helpers, tighten the security checks in
>>>     mount_service.c, always set nosuid/nodev for unprivileged mounts,
>>>     use posix_spawnp in mount.fuse, restructure sample programs and hl
>>>     library code to avoid the need for unmounting during startup
>>> v4.1: fix various cppcheck/codecheck complaints
>>> v4: fix a large number of security problems that only matter when the
>>>     mount helper is being run as a setuid program; fix protocol
>>>     byteswapping problems; add CLOEXEC to all files being traded
>>>     back and forth; add an umount command; and strengthen mount socket
>>>     protocol checks.
>>> v3: refactor the sample code to reduce duplication; fix all the
>>>     checkpatch complaints; examples actually build standalone;
>>>     fuservicemount handles utab now; cleaned up meson feature detection;
>>>     handle MS_ flags that don't translate to MOUNT_ATTR_*
>>> v2: cleaned up error code handling and logging; add some example fuse
>>>     service; fuservicemount3 can now be a setuid program to allow
>>>     unprivileged userspace to fire up a contained filesystem driver.
>>>     This could be opening Pandora's box...
>>> v1: detach from fuse-iomap series
>>>
>>> If you're going to start using this code, I strongly recommend pulling
>>> from my git trees, which are linked below.
>>>
>>> With a bit of luck, this should all go splendidly.
>>> Comments and questions are, as always, welcome.
>>>
>>> --D
>>>
>>> kernel git tree:
>>> https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=fuse-service-container
>>
>> Hi Darrick,
>>
>> going to look for your previous pull request - kernel tree doesn't help
>> me for libfuse ;)
> 
> Urrk, that wasn't helpful of me. :(
> 
> The following changes since commit ff7aa456d426d89eb19661da7b4c171153bac516:
> 
> update kernel FUSE io_uring doc URL (2026-04-20 10:34:32 +0200)
> 
> are available in the Git repository at:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/djwong/libfuse.git tags/fuse-service-container_2026-04-22
> 
> for you to fetch changes up to 4f47bd86cd84bd511afdeb59fc18994915eb13fa:
> 
> nullfs: support fuse systemd service mode (2026-04-22 16:08:25 -0700)
> 
> (Sorry for the slow reply, I'm at LinuxFest this weekend.  Hopefully you
> could construct the path to the 22 April version from the previous PR.)


No worries at all. Enjoy LinuxFest! I had taken the
"fuse-service-container" branch and HEAD points to the tag. Got
distracted by another issue anyway. Right now I'm trying to look at the
test failures from your branch, but github seems to be very slow.


Thanks,
Bernd