Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp6127990rwr; Mon, 1 May 2023 17:15:48 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ5Bxd6keDhNMsWeLvjIhZD8t8Ruc6DFvnOoYJtNfl2KrMMWeraJUGgo64JjZjTU0t/TOlRW X-Received: by 2002:a17:902:e88c:b0:1a6:bc34:2ee with SMTP id w12-20020a170902e88c00b001a6bc3402eemr18616336plg.21.1682986548328; Mon, 01 May 2023 17:15:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1682986548; cv=none; d=google.com; s=arc-20160816; b=axheZHk8azW0KVhwUh3jkv1Gmb+RBpU+RoJz8poBALRFaSGRyvQ8PnAlop7BwpqIPe JmJKYiUHNd8pJKisJbNtRIEzRCp8mhorkXHOV/SZIZKg6apXOOsLX1FNkq8JuBXVhL8N BcPgvnEWIjxzvXC+ZdxgCnt+q0zGq12wjB8od/ZbD4TN6P2ZnZqfCrmJRUiUTrZ3HKru 8n4arUVjW8mcxWxK23tdzCfcIuAWklezbxSbO/LjoofQB2h0/TsifOZcg55VDtBkQ4oS 4LbXFnBiqdQiDybd+VIJil064PSGlWT9IZHlr2P7iF2hu3EIlbDPflF2PPaINBxLzTGV PjZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=8vPkxZmjvPrwj9yARID2IcnIbVYQzVlz9N1UD75yWJc=; b=o8XD9eWva+oCPUk76blG6cgLCdKlk6GFOGn3YTkGpOlJW4v0za4O/0zSKEGiM6U1Rj hSWNnfKYNdQr438fk2P0IHViIPIPTSqlxtuS/g27BjiGZM1CEr+23NVE6z8lX9wXxo6f 1nWLj4JPF1yeSl7QZEcFE55ct73nqJWDWdEdsCs7kL1da8PJB3/wukaklz2I65uJDn+G Td3q/HaVtas3jUrC5p4WP1fiZihpsoaVIlhwsrq5TvLiL/dsx4cxJB4jPdb4+DvlOd0a BOuZ/V5DbKTtimoJeFTYzgsNXbd8e3wc6b2MpM/Pb0dfIs22xmliGN4WfLmytlib9TlB Cu7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=0UfJ7Tbc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x17-20020a170902ec9100b001a97091356asi22779928plg.46.2023.05.01.17.15.33; Mon, 01 May 2023 17:15:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=0UfJ7Tbc; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229379AbjEBAHq (ORCPT + 99 others); Mon, 1 May 2023 20:07:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34832 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232989AbjEBAHm (ORCPT ); Mon, 1 May 2023 20:07:42 -0400 Received: from mail-pf1-x434.google.com (mail-pf1-x434.google.com [IPv6:2607:f8b0:4864:20::434]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABC593A8C for ; Mon, 1 May 2023 17:07:38 -0700 (PDT) Received: by mail-pf1-x434.google.com with SMTP id d2e1a72fcca58-64115eef620so30719664b3a.1 for ; Mon, 01 May 2023 17:07:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1682986058; x=1685578058; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=8vPkxZmjvPrwj9yARID2IcnIbVYQzVlz9N1UD75yWJc=; b=0UfJ7TbcVUadFwEts5kOLmLB4BgJqrRqx9uD+f8LXaQJSMmqYqjD7Fh6Cfn0NPkJb/ ioCuz2M50D37KKGuAxc3MgBQE2ral1pGfWy1jNpjDLvM9ZCCgB+c2Zhz2PHLQPL5X38Y zeDMAefPinLcV2aODW6pogWX34Wv3FCrk9tNqECSaF7Y4nuXeg9wsvn54WMT7OlCODv4 X1KgshO5erNjMBVLeRz2u7QqdEqwDLsqF4E7mnzNIosJAuV7fqjKx7rpR4DdjwbO543q +aSxmH24oGdBCQHZ1Y/TFhJUSr73YFOl2Y75rLhVvUD1gf7zAFhVJ+UsP8aMwTsfzRib Plhw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1682986058; x=1685578058; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=8vPkxZmjvPrwj9yARID2IcnIbVYQzVlz9N1UD75yWJc=; b=JpunAimDU1mt5X/x4caKr8eFW6aRoMNjruOFR8Mbe4aULEO7BnNRRW4NYf/ecWJouh bfonwHbPjdGCKhJbvbzJnK8hmQwAq9oBnLgKCx3/4efTT74KKRkdUQ8L0JGG2fQWBMN8 yh7jJLl8ty0cPYG8yS0+zEhwDaTWWZTvVmzmibmPnhhxUHq3kf3fYdM6jCChRCOnr/uJ dX7cJZjarief0+1quulkBx892OZ0KfMXdQLrpdOlquTF9yN08NNQH31SMHjIk+fa1u2J 3pWO0S8xFGknOwXIIoe6oYPEmhKDIapxjWoEimTFyt2So5jQvRIJ9rRYRcYLtI+PXquX gLvA== X-Gm-Message-State: AC+VfDxive9iWaQo0OvsKkZnkPVWoAIxaw21ncvhdoiBf50+bSwfqe9c JkxFnjaV5qOMO9uUre2ec1J1QJLkdwl9OK2lUxN/vw== X-Received: by 2002:a17:902:f7c5:b0:19e:2fb0:a5d9 with SMTP id h5-20020a170902f7c500b0019e2fb0a5d9mr17959310plw.32.1682986057925; Mon, 01 May 2023 17:07:37 -0700 (PDT) MIME-Version: 1.0 References: <20230418014037.2412394-1-drosen@google.com> In-Reply-To: From: Daniel Rosenberg Date: Mon, 1 May 2023 17:07:26 -0700 Message-ID: Subject: Re: [RFC PATCH bpf-next v3 00/37] FUSE BPF: A Stacked Filesystem Extension for FUSE To: Miklos Szeredi Cc: bpf@vger.kernel.org, Alexei Starovoitov , Amir Goldstein , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Shuah Khan , Jonathan Corbet , Joanne Koong , Mykola Lysenko , kernel-team@android.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Apr 24, 2023 at 8:32=E2=80=AFAM Miklos Szeredi = wrote: > > > The security model needs to be thought about and documented. Think > about this: the fuse server now delegates operations it would itself > perform to the passthrough code in fuse. The permissions that would > have been checked in the context of the fuse server are now checked in > the context of the task performing the operation. The server may be > able to bypass seccomp restrictions. Files that are open on the > backing filesystem are now hidden (e.g. lsof won't find these), which > allows the server to obfuscate accesses to backing files. Etc. > > These are not particularly worrying if the server is privileged, but > fuse comes with the history of supporting unprivileged servers, so we > should look at supporting passthrough with unprivileged servers as > well. > This is on my todo list. My current plan is to grab the creds that the daemon uses to respond to FUSE_INIT. That should keep behavior fairly similar. I'm not sure if there are cases where the fuse server is operating under multiple contexts. I don't currently have a plan for exposing open files via lsof. Every such file should relate to one that will show up though. I haven't dug into how that's set up, but I'm open to suggestions. > My other generic comment is that you should add justification for > doing this in the first place. I guess it's mainly performance. So > how performance can be won in real life cases? It would also be good > to measure the contribution of individual ops to that win. Is there > another reason for this besides performance? > > Thanks, > Miklos Our main concern with it is performance. We have some preliminary numbers looking at the pure passthrough case. We've been testing using a ramdrive on a somewhat slow machine, as that should highlight differences more. We ran fio for sequential reads, and random read/write. For sequential reads, we were seeing libfuse's passthrough_hp take about a 50% hit, with fuse-bpf not being detectably slower. For random read/write, we were seeing a roughly 90% drop in performance from passthrough_hp, while fuse-bpf has about a 7% drop in read and write speed. When we use a bpf that traces every opcode, that performance hit increases to a roughly 1% drop in sequential read performance, and a 20% drop in both read and write performance for random read/write. We plan to make more complex bpf examples, with fuse daemon equivalents to compare against. We have not looked closely at the impact of individual opcodes yet. There's also a potential ease of use for fuse-bpf. If you're implementing a fuse daemon that is largely mirroring a backing filesystem, you only need to write code for the differences in behavior. For instance, say you want to remove image metadata like location. You could give bpf information on what range of data is metadata, and zero out that section without having to handle any other operations. -Daniel