On Tue, 18 Apr 2023 at 03:40, Daniel Rosenberg <drosen@xxxxxxxxxx> wrote: > > These patches extend FUSE to be able to act as a stacked filesystem. This > allows pure passthrough, where the fuse file system simply reflects the lower > filesystem, and also allows optional pre and post filtering in BPF and/or the > userspace daemon as needed. This can dramatically reduce or even eliminate > transitions to and from userspace. I'll ignore BPF for now and concentrate on the passthrough aspect, which I understand better. The security model needs to be thought about and documented. Think about this: the fuse server now delegates operations it would itself perform to the passthrough code in fuse. The permissions that would have been checked in the context of the fuse server are now checked in the context of the task performing the operation. The server may be able to bypass seccomp restrictions. Files that are open on the backing filesystem are now hidden (e.g. lsof won't find these), which allows the server to obfuscate accesses to backing files. Etc. These are not particularly worrying if the server is privileged, but fuse comes with the history of supporting unprivileged servers, so we should look at supporting passthrough with unprivileged servers as well. My other generic comment is that you should add justification for doing this in the first place. I guess it's mainly performance. So how performance can be won in real life cases? It would also be good to measure the contribution of individual ops to that win. Is there another reason for this besides performance? Thanks, Miklos
