Documentation/filesystems/fuse-passthrough.rst - pub/scm/linux/kernel/git/gregkh/tty - Git at Google

 .. SPDX-License-Identifier: GPL-2.0

 ================
 FUSE Passthrough
 ================

 Introduction
 ============

 FUSE (Filesystem in Userspace) passthrough is a feature designed to improve the
 performance of FUSE filesystems for I/O operations. Typically, FUSE operations
 involve communication between the kernel and a userspace FUSE daemon, which can
 incur overhead. Passthrough allows certain operations on a FUSE file to bypass
 the userspace daemon and be executed directly by the kernel on an underlying
 "backing file".

 This is achieved by the FUSE daemon registering a file descriptor (pointing to
 the backing file on a lower filesystem) with the FUSE kernel module. The kernel
 then receives an identifier (``backing_id``) for this registered backing file.
 When a FUSE file is subsequently opened, the FUSE daemon can, in its response to
 the ``OPEN`` request, include this ``backing_id`` and set the
 ``FOPEN_PASSTHROUGH`` flag. This establishes a direct link for specific
 operations.

 Currently, passthrough is supported for operations like ``read(2)``/``write(2)``
 (via ``read_iter``/``write_iter``), ``splice(2)``, and ``mmap(2)``.

 Enabling Passthrough
 ====================

 To use FUSE passthrough:

   1. The FUSE filesystem must be compiled with ``CONFIG_FUSE_PASSTHROUGH``
      enabled.
   2. The FUSE daemon, during the ``FUSE_INIT`` handshake, must negotiate the
      ``FUSE_PASSTHROUGH`` capability and specify its desired
      ``max_stack_depth``.
   3. The (privileged) FUSE daemon uses the ``FUSE_DEV_IOC_BACKING_OPEN`` ioctl
      on its connection file descriptor (e.g., ``/dev/fuse``) to register a
      backing file descriptor and obtain a ``backing_id``.
   4. When handling an ``OPEN`` or ``CREATE`` request for a FUSE file, the daemon
      replies with the ``FOPEN_PASSTHROUGH`` flag set in
      ``fuse_open_out::open_flags`` and provides the corresponding ``backing_id``
      in ``fuse_open_out::backing_id``.
   5. The FUSE daemon should eventually call ``FUSE_DEV_IOC_BACKING_CLOSE`` with
      the ``backing_id`` to release the kernel's reference to the backing file
      when it's no longer needed for passthrough setups.

 Privilege Requirements
 ======================

 Setting up passthrough functionality currently requires the FUSE daemon to
 possess the ``CAP_SYS_ADMIN`` capability. This requirement stems from several
 security and resource management considerations that are actively being
 discussed and worked on. The primary reasons for this restriction are detailed
 below.

 Resource Accounting and Visibility
 ----------------------------------

 The core mechanism for passthrough involves the FUSE daemon opening a file
 descriptor to a backing file and registering it with the FUSE kernel module via
 the ``FUSE_DEV_IOC_BACKING_OPEN`` ioctl. This ioctl returns a ``backing_id``
 associated with a kernel-internal ``struct fuse_backing`` object, which holds a
 reference to the backing ``struct file``.

 A significant concern arises because the FUSE daemon can close its own file
 descriptor to the backing file after registration. The kernel, however, will
 still hold a reference to the ``struct file`` via the ``struct fuse_backing``
 object as long as it's associated with a ``backing_id`` (or subsequently, with
 an open FUSE file in passthrough mode).

 This behavior leads to two main issues for unprivileged FUSE daemons:

   1. **Invisibility to lsof and other inspection tools**: Once the FUSE
      daemon closes its file descriptor, the open backing file held by the kernel
      becomes "hidden." Standard tools like ``lsof``, which typically inspect
      process file descriptor tables, would not be able to identify that this
      file is still open by the system on behalf of the FUSE filesystem. This
      makes it difficult for system administrators to track resource usage or
      debug issues related to open files (e.g., preventing unmounts).

   2. **Bypassing RLIMIT_NOFILE**: The FUSE daemon process is subject to
      resource limits, including the maximum number of open file descriptors
      (``RLIMIT_NOFILE``). If an unprivileged daemon could register backing files
      and then close its own FDs, it could potentially cause the kernel to hold
      an unlimited number of open ``struct file`` references without these being
      accounted against the daemon's ``RLIMIT_NOFILE``. This could lead to a
      denial-of-service (DoS) by exhausting system-wide file resources.

 The ``CAP_SYS_ADMIN`` requirement acts as a safeguard against these issues,
 restricting this powerful capability to trusted processes.

 **NOTE**: ``io_uring`` solves this similar issue by exposing its "fixed files",
 which are visible via ``fdinfo`` and accounted under the registering user's
 ``RLIMIT_NOFILE``.

 Filesystem Stacking and Shutdown Loops
 --------------------------------------

 Another concern relates to the potential for creating complex and problematic
 filesystem stacking scenarios if unprivileged users could set up passthrough.
 A FUSE passthrough filesystem might use a backing file that resides:

   * On the *same* FUSE filesystem.
   * On another filesystem (like OverlayFS) which itself might have an upper or
     lower layer that is a FUSE filesystem.

 These configurations could create dependency loops, particularly during
 filesystem shutdown or unmount sequences, leading to deadlocks or system
 instability. This is conceptually similar to the risks associated with the
 ``LOOP_SET_FD`` ioctl, which also requires ``CAP_SYS_ADMIN``.

 To mitigate this, FUSE passthrough already incorporates checks based on
 filesystem stacking depth (``sb->s_stack_depth`` and ``fc->max_stack_depth``).
 For example, during the ``FUSE_INIT`` handshake, the FUSE daemon can negotiate
 the ``max_stack_depth`` it supports. When a backing file is registered via
 ``FUSE_DEV_IOC_BACKING_OPEN``, the kernel checks if the backing file's
 filesystem stack depth is within the allowed limit.

 The ``CAP_SYS_ADMIN`` requirement provides an additional layer of security,
 ensuring that only privileged users can create these potentially complex
 stacking arrangements.

 General Security Posture
 ------------------------

 As a general principle for new kernel features that allow userspace to instruct
 the kernel to perform direct operations on its behalf based on user-provided
 file descriptors, starting with a higher privilege requirement (like
 ``CAP_SYS_ADMIN``) is a conservative and common security practice. This allows
 the feature to be used and tested while further security implications are
 evaluated and addressed.
	.. SPDX-License-Identifier: GPL-2.0

	================
	FUSE Passthrough
	================

	Introduction
	============

	FUSE (Filesystem in Userspace) passthrough is a feature designed to improve the
	performance of FUSE filesystems for I/O operations. Typically, FUSE operations
	involve communication between the kernel and a userspace FUSE daemon, which can
	incur overhead. Passthrough allows certain operations on a FUSE file to bypass
	the userspace daemon and be executed directly by the kernel on an underlying
	"backing file".

	This is achieved by the FUSE daemon registering a file descriptor (pointing to
	the backing file on a lower filesystem) with the FUSE kernel module. The kernel
	then receives an identifier (``backing_id``) for this registered backing file.
	When a FUSE file is subsequently opened, the FUSE daemon can, in its response to
	the ``OPEN`` request, include this ``backing_id`` and set the
	``FOPEN_PASSTHROUGH`` flag. This establishes a direct link for specific
	operations.

	Currently, passthrough is supported for operations like ``read(2)``/``write(2)``
	(via ``read_iter``/``write_iter``), ``splice(2)``, and ``mmap(2)``.

	Enabling Passthrough
	====================

	To use FUSE passthrough:

	1. The FUSE filesystem must be compiled with ``CONFIG_FUSE_PASSTHROUGH``
	enabled.
	2. The FUSE daemon, during the ``FUSE_INIT`` handshake, must negotiate the
	``FUSE_PASSTHROUGH`` capability and specify its desired
	``max_stack_depth``.
	3. The (privileged) FUSE daemon uses the ``FUSE_DEV_IOC_BACKING_OPEN`` ioctl
	on its connection file descriptor (e.g., ``/dev/fuse``) to register a
	backing file descriptor and obtain a ``backing_id``.
	4. When handling an ``OPEN`` or ``CREATE`` request for a FUSE file, the daemon
	replies with the ``FOPEN_PASSTHROUGH`` flag set in
	``fuse_open_out::open_flags`` and provides the corresponding ``backing_id``
	in ``fuse_open_out::backing_id``.
	5. The FUSE daemon should eventually call ``FUSE_DEV_IOC_BACKING_CLOSE`` with
	the ``backing_id`` to release the kernel's reference to the backing file
	when it's no longer needed for passthrough setups.

	Privilege Requirements
	======================

	Setting up passthrough functionality currently requires the FUSE daemon to
	possess the ``CAP_SYS_ADMIN`` capability. This requirement stems from several
	security and resource management considerations that are actively being
	discussed and worked on. The primary reasons for this restriction are detailed
	below.

	Resource Accounting and Visibility
	----------------------------------

	The core mechanism for passthrough involves the FUSE daemon opening a file
	descriptor to a backing file and registering it with the FUSE kernel module via
	the ``FUSE_DEV_IOC_BACKING_OPEN`` ioctl. This ioctl returns a ``backing_id``
	associated with a kernel-internal ``struct fuse_backing`` object, which holds a
	reference to the backing ``struct file``.

	A significant concern arises because the FUSE daemon can close its own file
	descriptor to the backing file after registration. The kernel, however, will
	still hold a reference to the ``struct file`` via the ``struct fuse_backing``
	object as long as it's associated with a ``backing_id`` (or subsequently, with
	an open FUSE file in passthrough mode).

	This behavior leads to two main issues for unprivileged FUSE daemons:

	1. Invisibility to lsof and other inspection tools: Once the FUSE
	daemon closes its file descriptor, the open backing file held by the kernel
	becomes "hidden." Standard tools like ``lsof``, which typically inspect
	process file descriptor tables, would not be able to identify that this
	file is still open by the system on behalf of the FUSE filesystem. This
	makes it difficult for system administrators to track resource usage or
	debug issues related to open files (e.g., preventing unmounts).

	2. Bypassing RLIMIT_NOFILE: The FUSE daemon process is subject to
	resource limits, including the maximum number of open file descriptors
	(``RLIMIT_NOFILE``). If an unprivileged daemon could register backing files
	and then close its own FDs, it could potentially cause the kernel to hold
	an unlimited number of open ``struct file`` references without these being
	accounted against the daemon's ``RLIMIT_NOFILE``. This could lead to a
	denial-of-service (DoS) by exhausting system-wide file resources.

	The ``CAP_SYS_ADMIN`` requirement acts as a safeguard against these issues,
	restricting this powerful capability to trusted processes.

	NOTE: ``io_uring`` solves this similar issue by exposing its "fixed files",
	which are visible via ``fdinfo`` and accounted under the registering user's
	``RLIMIT_NOFILE``.

	Filesystem Stacking and Shutdown Loops
	--------------------------------------

	Another concern relates to the potential for creating complex and problematic
	filesystem stacking scenarios if unprivileged users could set up passthrough.
	A FUSE passthrough filesystem might use a backing file that resides:

	* On the same FUSE filesystem.
	* On another filesystem (like OverlayFS) which itself might have an upper or
	lower layer that is a FUSE filesystem.

	These configurations could create dependency loops, particularly during
	filesystem shutdown or unmount sequences, leading to deadlocks or system
	instability. This is conceptually similar to the risks associated with the
	``LOOP_SET_FD`` ioctl, which also requires ``CAP_SYS_ADMIN``.

	To mitigate this, FUSE passthrough already incorporates checks based on
	filesystem stacking depth (``sb->s_stack_depth`` and ``fc->max_stack_depth``).
	For example, during the ``FUSE_INIT`` handshake, the FUSE daemon can negotiate
	the ``max_stack_depth`` it supports. When a backing file is registered via
	``FUSE_DEV_IOC_BACKING_OPEN``, the kernel checks if the backing file's
	filesystem stack depth is within the allowed limit.

	The ``CAP_SYS_ADMIN`` requirement provides an additional layer of security,
	ensuring that only privileged users can create these potentially complex
	stacking arrangements.

	General Security Posture
	------------------------

	As a general principle for new kernel features that allow userspace to instruct
	the kernel to perform direct operations on its behalf based on user-provided
	file descriptors, starting with a higher privilege requirement (like
	``CAP_SYS_ADMIN``) is a conservative and common security practice. This allows
	the feature to be used and tested while further security implications are
	evaluated and addressed.