Re: [Lsf-pc] [LSF/MM/BPF TOPIC] Where is fuse going? API cleanup, restructuring and more

[Gao Xiang <hsiangkao@linux.alibaba.com>]

Hi Jan,

On 2026/3/23 17:54, Jan Kara wrote:
> On Sun 22-03-26 12:51:57, Gao Xiang wrote:
>> On 2026/3/22 11:25, Demi Marie Obenour wrote:
>>>> Technically speaking fuse4fs could just invoke e2fsck -fn before it
>>>> starts up the rest of the libfuse initialization but who knows if that's
>>>> an acceptable risk.  Also unclear if you actually want -fy for that.
>>>
>>
>> Let me try to reply the remaining part:
>>
>>> To me, the attacks mentioned above are all either user error,
>>> or vulnerabilities in software accessing the filesystem.  If one
>>
>> There are many consequences if users try to use potential inconsistent
>> writable filesystems directly (without full fsck), what I can think
>> out including but not limited to:
>>
>>   - data loss (considering data block double free issue);
>>   - data theft (for example, users keep sensitive information in the
>>        workload in a high permission inode but it can be read with
>>        low permission malicious inode later);
>>   - data tamper (the same principle).
>>
>> All vulnerabilities above happen after users try to write the
>> inconsistent filesystem, which is hard to prevent by on-disk
>> design.
>>
>> But if users write with copy-on-write to another local consistent
>> filesystem, all the vulnerabilities above won't exist.
> 
> OK, so if I understand correctly you are advocating that untrusted initial data
> should be provided on immutable filesystem and any needed modification
> would be handled by overlayfs (or some similar layer) and stored on
> (initially empty) writeable filesystem.
> 
> That's a sensible design for usecase like containers but what started this
> thread about FUSE drivers for filesystems were usecases like access to
> filesystems on drives attached at USB port of your laptop. There it isn't
> really practical to use your design. You need a standard writeable
> filesystem for that but at the same time you cannot quite trust the content
> of everything that gets attached to your USB port...

Yes, that is my proposal and my overall interest now.  I know
your interest but I'm here I just would like to say:

Without full scan fsck, even with FUSE, the system is still
vulnerable if the FUSE approch is used.

I could give a detailed example, for example:

There are passwd files `/etc/passwd` and `/etc/shadow` with
proper permissions (for example, you could audit the file
permission with e2fsprogs/xfsprogs without a full fsck scan) in
the inconsistent remote filesystems, but there are some other
malicious files called "foo" and "bar" somewhere with low
permissions but sharing the same blocks which is disallowed
by filesystem on-disk formats illegally (because they violate
copy-on-write semantics by design), also see my previous
reply:
https://lore.kernel.org/r/7de8630d-b6f5-406e-809a-bc2a2d945afb@linux.alibaba.com

The initial data of `/etc/passwd` and `/etc/shadow` in the
filesystem image doesn't matter, but users could then keep
very sensitive information later just out of the
inconsistent filesystems, which could cause "data theft"
above.

So I think inconsistent filesystem harms to users no matter
the implementations use FUSE or not.

You could claim it's not the case we care, but I think most
users should care, and they should full fsck in advance, but
if it's fscked and consistent, I'm afraid the images can then
be handled in kernel directly.

Thanks,
Gao Xiang


> 
> 								Honza