Re: [PATCH 1/2] fuse: allow FUSE_SYNCFS for privileged userspace servers

[PATCH 0/2] fuse: allow FUSE_SYNCFS for privileged userspace servers · Jimmy Zuber <hidden> · 2026-06-16
[PATCH 1/2] fuse: allow FUSE_SYNCFS for privileged userspace servers · Jimmy Zuber <hidden> · 2026-06-16
Re: [PATCH 1/2] fuse: allow FUSE_SYNCFS for privileged userspace servers · Miklos Szeredi <miklos@szeredi.hu> · 2026-06-17
Re: [PATCH 1/2] fuse: allow FUSE_SYNCFS for privileged userspace servers · Jimmy Zuber <hidden> · 2026-06-19
[PATCH 2/2] selftests/fuse: add test for FUSE_HAS_SYNCFS privilege gating · Jimmy Zuber <hidden> · 2026-06-16
[PATCH v2 0/2] fuse: allow FUSE_SYNCFS for privileged userspace servers · Jimmy Zuber <hidden> · 2026-06-19
[PATCH v2 1/2] fuse: allow FUSE_SYNCFS for privileged userspace servers · Jimmy Zuber <hidden> · 2026-06-19
[PATCH v2 2/2] selftests/fuse: add test for FUSE_HAS_SYNCFS privilege gating · Jimmy Zuber <hidden> · 2026-06-19

From: Miklos Szeredi <miklos@szeredi.hu>
Date: 2026-06-17 08:22:37
Also in: fuse-devel, linux-fsdevel, linux-kselftest, lkml

On Tue, 16 Jun 2026 at 17:20, Jimmy Zuber [off-list ref] wrote:

+/*
+ * A server can stall syncfs()/sync(), so only honor FUSE_HAS_SYNCFS for
+ * mounts owned by the initial user namespace, i.e. set up with host
+ * privilege (like virtiofs and fuseblk).
+ */
+static bool fuse_syncfs_enable(struct fuse_conn *fc, u64 flags)
+{
+       return (flags & FUSE_HAS_SYNCFS) && fc->user_ns == &init_user_ns;
+}

Sounds really easy to trick: start the server in the initial user ns,
then clone the mounter with a new user/mount namespace.   The
init_user_ns test will pass happily, since the server is running in
the initial namespace.

Thanks,
Miklos

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help