fuse: support special /dev/fd/N mountpoint
libfuse introduced [1] a special `/dev/fd/N` syntax for the mountpoint: It means that a privileged parent process: * Opened /dev/fuse * Called mount() on a real mountpoint directory * Inherited the fd to /dev/fuse to us * Informs us about the fd number via /dev/fd/N This functionality is used to allow FUSE mounts inside containers that have neither root permissions nor suid binaries [2], and for the --drop_privileges flag of mount.fuse3 [4] Tested with singularity and gocryptfs and actually works [3]. v2: Added doccomment for NewServer. v3: Added specific error message on Server.Unmount(). v4: Moved mount details to package comment [1] https://github.com/libfuse/libfuse/commit/64e11073b9347fcf9c6d1eea143763ba9e946f70 [2] https://github.com/rfjakob/gocryptfs/issues/590 [3] $ singularity run --fusemount "host:gocryptfs --extpass echo --extpass test /tmp/a /mnt" docker://ubuntu INFO: Using cached SIF image Reading password from extpass program "echo", arguments: ["test"] Decrypting master key bash: /home/jakob/.cargo/env: No such file or directory bash: /home/jakob/.cargo/env: No such file or directory bash: /home/jakob/.cargo/env: No such file or directory Singularity> Filesystem mounted and ready. [4] man mount.fuse3 Change-Id: Ibcc2464b0ef1e3d236207981b487fd9a7d94c910
Showing
fuse/mount_linux_test.go
0 → 100644