From: Bernd Schubert <bernd@bsbernd.com>
To: "Darrick J. Wong" <djwong@kernel.org>
Cc: bschubert@ddn.com, neal@gompa.dev, linux-fsdevel@vger.kernel.org,
joannelkoong@gmail.com, miklos@szeredi.hu,
fuse-devel@lists.linux.dev
Subject: Re: [PATCHSET v5] libfuse: run fuse servers as a contained service
Date: Sun, 26 Apr 2026 18:35:11 +0200 [thread overview]
Message-ID: <eed525ff-8f83-4882-a5db-574d2d3a913e@bsbernd.com> (raw)
In-Reply-To: <177689988489.3820166.4979104167640003535.stgit@frogsfrogsfrogs>
On 4/23/26 01:18, Darrick J. Wong wrote:
> Hi all,
>
> This patchset defines the necessary communication protocols and library
> code so that users can mount fuse servers that run in unprivileged
> systemd service containers. That in turn allows unprivileged untrusted
> mounts, because the worst that can happen is that a malicious image
> crashes the fuse server and the mount dies, instead of corrupting the
> kernel's memory.
>
> v5: Refactor socket IO into helpers, tighten the security checks in
> mount_service.c, always set nosuid/nodev for unprivileged mounts,
> use posix_spawnp in mount.fuse, restructure sample programs and hl
> library code to avoid the need for unmounting during startup
> v4.1: fix various cppcheck/codecheck complaints
> v4: fix a large number of security problems that only matter when the
> mount helper is being run as a setuid program; fix protocol
> byteswapping problems; add CLOEXEC to all files being traded
> back and forth; add an umount command; and strengthen mount socket
> protocol checks.
> v3: refactor the sample code to reduce duplication; fix all the
> checkpatch complaints; examples actually build standalone;
> fuservicemount handles utab now; cleaned up meson feature detection;
> handle MS_ flags that don't translate to MOUNT_ATTR_*
> v2: cleaned up error code handling and logging; add some example fuse
> service; fuservicemount3 can now be a setuid program to allow
> unprivileged userspace to fire up a contained filesystem driver.
> This could be opening Pandora's box...
> v1: detach from fuse-iomap series
>
> If you're going to start using this code, I strongly recommend pulling
> from my git trees, which are linked below.
>
> With a bit of luck, this should all go splendidly.
> Comments and questions are, as always, welcome.
>
> --D
>
> kernel git tree:
> https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=fuse-service-container
Hi Darrick,
going to look for your previous pull request - kernel tree doesn't help
me for libfuse ;)
Bernd
> ---
> Commits in this patchset:
> * Refactor mount code / move common functions to mount_util.c
> * mount_service: add systemd socket service mounting helper
> * mount_service: create high level fuse helpers
> * mount_service: use the new mount api for the mount service
> * mount_service: update mtab after a successful mount
> * util: hoist the fuse.conf parsing and setuid mode enforcement code
> * util: fix checkpatch complaints in fuser_conf.[ch]
> * mount_service: enable unprivileged users in a similar manner as fusermount
> * mount.fuse3: integrate systemd service startup
> * mount_service: allow installation as a setuid program
> * example/service_ll: create a sample systemd service fuse server
> * example/service: create a sample systemd service for a high-level fuse server
> * nullfs: support fuse systemd service mode
> ---
> example/single_file.h | 191 ++
> include/fuse.h | 34
> include/fuse_service.h | 243 +++
> include/fuse_service_priv.h | 161 ++
> lib/fuse_i.h | 3
> lib/mount_common_i.h | 22
> lib/mount_util.h | 8
> lib/util.h | 35
> util/fuser_conf.h | 62 +
> util/mount_service.h | 49 +
> .github/workflows/install-ubuntu-dependencies.sh | 4
> README.md | 3
> doc/fuservicemount3.8 | 32
> doc/meson.build | 3
> example/meson.build | 26
> example/null.c | 51 +
> example/null.socket.in | 15
> example/null@.service | 102 +
> example/service_hl.c | 224 ++
> example/service_hl.socket.in | 15
> example/service_hl@.service | 102 +
> example/service_ll.c | 313 +++
> example/service_ll.socket.in | 15
> example/service_ll@.service | 102 +
> example/single_file.c | 970 ++++++++++
> include/meson.build | 4
> lib/fuse_service.c | 1220 +++++++++++++
> lib/fuse_service_stub.c | 106 +
> lib/fuse_versionscript | 18
> lib/helper.c | 160 ++
> lib/meson.build | 17
> lib/mount.c | 72 +
> lib/mount_util.c | 9
> meson.build | 53 +
> meson_options.txt | 9
> test/ci-build.sh | 14
> util/fuser_conf.c | 396 ++++
> util/fusermount.c | 363 ----
> util/fuservicemount.c | 65 +
> util/install_helper.sh | 6
> util/meson.build | 24
> util/mount.fuse.c | 169 ++
> util/mount_service.c | 2111 ++++++++++++++++++++++
> 43 files changed, 7197 insertions(+), 404 deletions(-)
> create mode 100644 example/single_file.h
> create mode 100644 include/fuse_service.h
> create mode 100644 include/fuse_service_priv.h
> create mode 100644 lib/mount_common_i.h
> create mode 100644 util/fuser_conf.h
> create mode 100644 util/mount_service.h
> create mode 100644 doc/fuservicemount3.8
> create mode 100644 example/null.socket.in
> create mode 100644 example/null@.service
> create mode 100644 example/service_hl.c
> create mode 100644 example/service_hl.socket.in
> create mode 100644 example/service_hl@.service
> create mode 100644 example/service_ll.c
> create mode 100644 example/service_ll.socket.in
> create mode 100644 example/service_ll@.service
> create mode 100644 example/single_file.c
> create mode 100644 lib/fuse_service.c
> create mode 100644 lib/fuse_service_stub.c
> create mode 100644 util/fuser_conf.c
> create mode 100644 util/fuservicemount.c
> create mode 100644 util/mount_service.c
>
next prev parent reply other threads:[~2026-04-26 16:35 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-22 23:15 [PATCHBOMB v5] fuse/libfuse/e2fsprogs/etc: containerize ext4 for safer operation Darrick J. Wong
2026-04-22 23:18 ` [PATCHSET v5] libfuse: run fuse servers as a contained service Darrick J. Wong
2026-04-22 23:19 ` [PATCH 01/13] Refactor mount code / move common functions to mount_util.c Darrick J. Wong
2026-04-22 23:19 ` [PATCH 02/13] mount_service: add systemd socket service mounting helper Darrick J. Wong
2026-04-28 18:08 ` Darrick J. Wong
2026-04-29 15:23 ` Darrick J. Wong
2026-04-22 23:20 ` [PATCH 03/13] mount_service: create high level fuse helpers Darrick J. Wong
2026-04-22 23:20 ` [PATCH 04/13] mount_service: use the new mount api for the mount service Darrick J. Wong
2026-04-22 23:20 ` [PATCH 05/13] mount_service: update mtab after a successful mount Darrick J. Wong
2026-04-22 23:20 ` [PATCH 06/13] util: hoist the fuse.conf parsing and setuid mode enforcement code Darrick J. Wong
2026-04-26 20:42 ` Bernd Schubert
2026-04-27 14:40 ` Darrick J. Wong
2026-04-22 23:21 ` [PATCH 07/13] util: fix checkpatch complaints in fuser_conf.[ch] Darrick J. Wong
2026-04-22 23:21 ` [PATCH 08/13] mount_service: enable unprivileged users in a similar manner as fusermount Darrick J. Wong
2026-04-22 23:21 ` [PATCH 09/13] mount.fuse3: integrate systemd service startup Darrick J. Wong
2026-04-28 18:10 ` Darrick J. Wong
2026-04-22 23:21 ` [PATCH 10/13] mount_service: allow installation as a setuid program Darrick J. Wong
2026-04-22 23:22 ` [PATCH 11/13] example/service_ll: create a sample systemd service fuse server Darrick J. Wong
2026-04-26 21:28 ` Bernd Schubert
2026-04-27 14:51 ` Darrick J. Wong
2026-04-22 23:22 ` [PATCH 12/13] example/service: create a sample systemd service for a high-level " Darrick J. Wong
2026-04-26 21:04 ` Bernd Schubert
2026-04-27 15:04 ` Darrick J. Wong
2026-04-26 21:21 ` Bernd Schubert
2026-04-27 15:13 ` Darrick J. Wong
2026-04-22 23:22 ` [PATCH 13/13] nullfs: support fuse systemd service mode Darrick J. Wong
2026-04-26 16:35 ` Bernd Schubert [this message]
2026-04-26 16:56 ` [PATCHSET v5] libfuse: run fuse servers as a contained service Darrick J. Wong
2026-04-26 19:35 ` Bernd Schubert
2026-04-26 20:23 ` Bernd Schubert
2026-04-22 23:19 ` [PATCHSET v5 2/2] fuse4fs: run " Darrick J. Wong
2026-04-22 23:23 ` [PATCH 01/10] libext2fs: make it possible to extract the fd from an IO manager Darrick J. Wong
2026-04-22 23:24 ` [PATCH 02/10] libext2fs: fix checking for valid fds in mmp.c Darrick J. Wong
2026-04-22 23:24 ` [PATCH 03/10] unix_io: allow passing /dev/fd/XXX paths to the unixfd IO manager Darrick J. Wong
2026-04-22 23:24 ` [PATCH 04/10] libext2fs: fix MMP code to work with " Darrick J. Wong
2026-04-22 23:24 ` [PATCH 05/10] libext2fs: bump libfuse API version to 3.19 Darrick J. Wong
2026-04-22 23:25 ` [PATCH 06/10] fuse4fs: hoist some code out of fuse4fs_main Darrick J. Wong
2026-04-22 23:25 ` [PATCH 07/10] fuse4fs: enable safe service mode Darrick J. Wong
2026-04-22 23:25 ` [PATCH 08/10] fuse4fs: set proc title when in fuse " Darrick J. Wong
2026-04-22 23:25 ` [PATCH 09/10] fuse4fs: make MMP work correctly in safe " Darrick J. Wong
2026-04-22 23:26 ` [PATCH 10/10] debian: update packaging for fuse4fs service Darrick J. Wong
2026-04-22 23:29 ` [RFC PATCH 1/4] fusefatfs: enable fuse systemd service mode Darrick J. Wong
2026-04-22 23:30 ` [RFC PATCH 2/4] exfat: " Darrick J. Wong
2026-04-22 23:32 ` [RFC PATCH 3/4] fuseiso: enable " Darrick J. Wong
2026-04-22 23:32 ` [RFC PATCH 4/4] httpdirfs: enable fuse " Darrick J. Wong
2026-04-23 8:44 ` [PATCHBOMB v5] fuse/libfuse/e2fsprogs/etc: containerize ext4 for safer operation Amir Goldstein
2026-04-23 14:50 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=eed525ff-8f83-4882-a5db-574d2d3a913e@bsbernd.com \
--to=bernd@bsbernd.com \
--cc=bschubert@ddn.com \
--cc=djwong@kernel.org \
--cc=fuse-devel@lists.linux.dev \
--cc=joannelkoong@gmail.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=neal@gompa.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox