Re: [PATCH 1/2] fuse: allow FUSE_SYNCFS for privileged userspace servers

Next message: Al Viro: "Re: [PATCH] net: add sock_open() for unified socket creation"
Previous message: Gao Xiang: "Re: [PATCH] erofs: complete fscache pseudo-bio once when a read is split"
In reply to: Miklos Szeredi: "Re: [PATCH 1/2] fuse: allow FUSE_SYNCFS for privileged userspace servers"
Next in thread: Jimmy Zuber: "[PATCH 2/2] selftests/fuse: add test for FUSE_HAS_SYNCFS privilege gating"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jimmy Zuber

Date: Fri Jun 19 2026 - 12:34:20 EST

On Mon, 16 Jun 2026, Miklos Szeredi <miklos@xxxxxxxxxx> wrote:
> Sounds really easy to trick: start the server in the initial user ns,
> then clone the mounter with a new user/mount namespace. The
> init_user_ns test will pass happily, since the server is running in
> the initial namespace.

Ah, the intention was to limit sync to sufficiently privileged FUSE
setups. I missed that the initial user namespace is not equivalent to
elevated permissions. I am thinking instead it would make sense to
assert that the opener of /dev/fuse has CAP_SYS_ADMIN in the initial
user namespace. They could then hand off the fd to a less privileged
server, but that is the prerogative of that privileged user, so I think
it satisfies the spirit of the DoS prevention requirement.

I will follow up shortly with a new version.

Thank you!

Jimmy