|
|
Log in / Subscribe / Register

Policies for merging new filesystems

Benefits for LWN subscribers

The primary benefit from subscribing to LWN is helping to keep us publishing, but, beyond that, subscribers get immediate access to all site content and access to a number of extra site features. Please sign up today!

By Jake Edge
May 28, 2026

LSFMM+BPF

In a filesystem-track session at the 2026 Linux Storage, Filesystem, Memory Management, and BPF Summit, Amir Goldstein wanted to discuss his proposed documentation on adding new filesystems to the kernel. There are a number of unmaintained and untestable filesystems already in the kernel, which are a burden to VFS-layer developers who are trying to make sweeping changes, such as switching to folios and the "new" mount API. Goldstein's document is an attempt to head off the addition of filesystems that may increase that burden down the road.

The idea behind the document is to provide prospective filesystem projects a bit of a checklist for what is needed in order to be considered for inclusion. Two new filesystems, VMUFAT and FTRFS, were posted in the same week that he had proposed the document. Both of those projects needed to be asked the usual questions (such as "why not FUSE?"), pointed toward the need for adding fstests, and so on. Getting all of that down in one place that developers of new filesystems can be referred to will help.

Criteria

[Amir Goldstein]

The filesystem developers need to decide what message they want to send to prospective new filesystems; he noted that the rejection of ZUFS sent a message, but he wondered if the community's message had changed since then. Christian Brauner said that for a few years there were multiple different container filesystems that were proposed, but that he never believed a single filesystem would work for all of the different kinds of containers the kernel supports. Pushing back under those circumstances makes sense, but there may come a time when there is a real need to add another filesystem to the kernel. "I just think the bar should be quite high to do that."

The community has seen the pain of bringing a filesystem in and needing to reverse course, Brauner said. There is a balance that needs to be found and criteria for new filesystems can help with that. Part of the problem, though, is that new filesystems are generally sent to Linus Torvalds for a decision; the filesystem community does not necessarily get a veto.

Ted Ts'o pointed out that the interest in using FUSE for filesystems has increased over the last 12-18 months. Much of that was driven by the security concerns with in-kernel filesystems. He pointed to the work that Darrick Wong has been doing on implementing ext4 as a FUSE filesystem that can still perform at close to native speed; that was aimed at providing better security for container workloads. Ts'o does not consider containers to provide a security boundary, but some who do are interested in accessing ext4 filesystems that way.

He does not think that the filesystem community should be pushing new filesystems to use FUSE, however. The bar should be set high enough for a new filesystem "so that it is long-term maintainable by the community". The new filesystem developers can then decide what approach they want to take.

An attendee suggested having a list that described the reasons why a filesystem should be in the kernel, as well as why it should not be. There are some existing in-kernel filesystems that do not need to be there, he said. The problem with that is that "someone has to write it", Jeff Layton said to laughter.

Damien Le Moal agreed with all of the criteria, such as needing tests and maintainers, calling it "a no brainer" for any proposed feature. In the special case of a filesystem, though, he said that the first question that the project needs to answer is "why?": "what is the exact thing you cannot do" with the existing choices? "What problems is it solving?" Without answers to those, there is no point in accepting a filesystem, no matter how good the code is or how committed the maintainers are.

Removal

It is extremely difficult to remove a filesystem once it has been merged, Josef Bacik said; addressing that is where the group should spend its time. The criteria for inclusion is reasonably well-known, but the process to deprecate and remove one is not. So it is not just criteria for merging that needs to be documented, but filesystem projects also need to continue with a certain maintenance level and keep up with the rest of the community, which should be described. If a filesystem falls behind, "this is how we are going to get rid of your filesystem".

Brauner said that there had been pushback from Greg Kroah-Hartman and others at a Maintainers Summit about leaving obsolete filesystems in the tree, as is done with drivers. There are drivers that "just sit and rot", perhaps filesystems should be treated the same way, they suggested. Jan Kara wondered if it made sense to simply implement a FUSE version of some of these unwanted filesystems as a way to be rid of them, though regressions might get in the way of the final step.

Brauner noted that he had put out a policy statement that bugs from corrupted filesystem images were not considered security problems. If that were not the case, there would be an unending stream of CVEs that would need to be addressed, particularly for older filesystems. He said that the flood of bug reports coming from LLMs has led to pulling out some kernel code from the networking subsystem, so "removal, suddenly, is something that can be done, apparently, without much objection".

Ts'o said that historically, "really simple" filesystems that do not use "any of the advanced interfaces" can remain in the tree and "rot" without causing much in the way of problems. There are certainly bugs lurking in some of those, which could be found by fuzzing or LLMs, "but nobody cares". The community could be explicit about that and simply list legacy filesystems with disclaimers like "no one cares about them from a security perspective, if you're a distro, we strongly recommend you don't build the suckers".

It makes sense to send a strong signal that some are second-class filesystems, he said. "The only reason why we haven't just simply created a FUSE driver and then ejected the in-kernel version is that it's not even worth the effort to do that." The list may be the lowest energy fix to the problem while allowing the few users of those filesystems to keep doing so. It is similar to support for the PA-RISC architecture in the kernel, which almost certainly has security problems of various sorts, but the kernel community seems unconcerned.

There was some fast-moving discussion around marking filesystems as deprecated or listing them as Ts'o suggested, though no real conclusion was reached. Meanwhile, Goldstein wondered if new filesystems should be required to be maintained out of the tree for a while as a proving ground for the code as well to show that there are interested users. That has been a successful path for some filesystems in the past.

Famfs

Goldstein raised the discussion about merging famfs. He said that there was never any real pushback against merging famfs in some form, it largely came down to whether it should use FUSE or not. Those questions allowed its developer, John Groves, to try both to see which made more sense; it was a kind of extended "design review", Goldstein thought, which was valuable as part of the process.

Groves did not disagree, though he hoped it would not be another year before famfs was merged in some form. There is a bit of an impedance mismatch since famfs uses memory, not storage, so data is not really persistent. But famfs is also low risk as a new kernel filesystem, since it cannot be used as a general-purpose filesystem. It is aimed as a solution to a new problem that comes about with a, say, multi-TB memory appliance.

Goldstein agreed, but noted that the process was meant to see if something more generalized could come out of it, which would make it a better fit for the upstream kernel. Groves said that two years ago he had presented the filesystem at LSFMM+BPF and switching to FUSE was suggested; he was resistant at first, but returned to the summit in 2025 with a FUSE-based implementation. He maintains both versions and is leaning toward suggesting a return to the standalone filesystem for merging.

Many of the requirements that are being suggested for new filesystems, such as working tests in fstests, only really apply to filesystems that have a persistent on-disk format, Ts'o said. That's important because there need to be different standards for, say, a new read-only or network filesystem. For example, EROFS is being used in ways that are "beyond its original use case, which is a sign that the people who did it got it right". It is unlikely that anyone will take on the pain of creating a new read-only or network filesystem unless there is truly a need; "it's just not worth the effort". The criteria for those, if they were to appear, are sure to be different than those in the document, which are geared toward regular, persistent on-disk filesystems.

[I would like to apologize for any errors here. The acoustics in the room were problematic for both hearing and recording. Misunderstanding and misidentification may have resulted.]

Index entries for this article
KernelFilesystems
ConferenceStorage, Filesystem, Memory-Management and BPF Summit/2026


to post comments

FUSE-required should be the goal

Posted May 28, 2026 20:16 UTC (Thu) by mb (subscriber, #50428) [Link] (3 responses)

Having a FUSE implementation should be a mandatory requirement for getting a new filesystem into the kernel.
Maintaining a FUSE implementation should be a mandatory requirement for keeping this filesystem in the kernel.

Of course the implementations can share as much code as they like.

FUSE-required should be the goal

Posted May 29, 2026 7:33 UTC (Fri) by epa (subscriber, #39769) [Link] (1 responses)

Is there a shim library that lets you write the filesystem once and compile it either as FUSE or as a kernel module? You wouldn't get full access to the latest kernel features, but for use cases like "read some memory from a Sega Dreamcast" that doesn't matter.

FUSE-required should be the goal

Posted May 29, 2026 8:33 UTC (Fri) by paulj (subscriber, #341) [Link]

ZFS was written that way. The bulk of the code was agnostic of kernel or userspace, written against a shim, and there was 1 shim for compiling against a user-space test harness, another for compiling in kernel.

FUSE-required should be the goal

Posted May 29, 2026 8:57 UTC (Fri) by taladar (subscriber, #68407) [Link]

You probably want to make some exceptions from a rule like that for pseudo-filesystems like proc, sysfs,...

In-tree FUSE file systems

Posted May 28, 2026 23:55 UTC (Thu) by Fowl (subscriber, #65667) [Link]

I remember there was a proposal for in-tree FUSE file systems, whatever happened to that? There was also talk of allowing riskier file systems via User Mode Linux right? Seems like there’s a few ideas for “half way” paths that don’t break user space.

Security issues

Posted May 29, 2026 1:19 UTC (Fri) by dvdeug (guest, #10998) [Link] (20 responses)

It'd be nice if more filesystems were implemented in user space, to limit damage. Arguably anything automounted from USB or CD should be user space, if the kernel doesn't take mounting malformed filesystems as an security error. For filesystems that are not actively used for systems, but mainly historical purposes, there's no need to have them at kernel level. It would also be nice if things like ReiserFS were available as FUSE, so removing them from the kernel wouldn't kill any ability for a modern system to read them.

Security issues

Posted May 29, 2026 4:30 UTC (Fri) by NYKevin (subscriber, #129325) [Link] (19 responses)

> Arguably anything automounted from USB or CD should be user space, if the kernel doesn't take mounting malformed filesystems as an security error.

That makes sense for workstations, and I suppose Android, but if we're considering a box in a rack in some data center, we probably assume that physical access = root. So even though this sounds like a good rule, it's probably not axiomatic (and hence should be left to distros and sysadmins to decide).

But it's certainly a good *recommendation* for any distro that wants to be usable as a workstation.

Security issues

Posted May 29, 2026 7:05 UTC (Fri) by dvdeug (guest, #10998) [Link]

Do servers run automounting software? I get the impression that that's something that usually comes with a desktop environment like GNOME or KDE.

Security issues

Posted May 29, 2026 9:03 UTC (Fri) by muase (subscriber, #178466) [Link] (17 responses)

Even for server OS though, if we change that scenario a bit: Given that root users usually can mount, it would be easy to attach a malicious image from inside a container – and there still should be a security boundary between being "formally root" inside a container on a locked down kernel, and arbitrary code execution inside/as the kernel.

I know Linux is not quite there yet, and that it has a different security concept than e.g. iOS; but ideally even a root process should not be able to escalate into kernel domain, especially on a server OS. There are always bugs of course, so an exploit chain "normal user -> root -> kernel" will always be hidden somewhere; but I still think that once it is known, every escalation inside that chain should be treated as a – potentially serious – security bug.

Escalating from root to kernel

Posted May 29, 2026 15:27 UTC (Fri) by farnz (subscriber, #17727) [Link] (15 responses)

Note that escalation from root to kernel is implicit in allowing root to run insmod and equivalents. Requiring signed modules can make it harder for root to escalate to kernel mode, but to genuinely make that escalation path impossible, you'd need to prevent root from doing anything (like direct physical memory access, loadable modules etc) that modifies the kernel.

Can be done, and some systems do it as a security measure, but it's not the norm for Linux systems.

Escalating from root to kernel

Posted May 29, 2026 16:52 UTC (Fri) by DemiMarie (subscriber, #164188) [Link] (14 responses)

Lockdown is supposed to block these paths. I have no idea how good a job it does.

Escalating from root to kernel

Posted May 31, 2026 12:39 UTC (Sun) by farnz (subscriber, #17727) [Link] (13 responses)

Lockdown is supposed to block some, but not all, of these paths. For example, lockdown very explicitly does not not block the loading of signed or IMA-attested modules by root - but that, in turn, means that if root has the module signing private key, there is always going to be a route for root to gain kernel-level privileges (write a loadable kernel module to do what you want, sign it, load it)

Escalating from root to kernel

Posted May 31, 2026 13:08 UTC (Sun) by bluca (subscriber, #118303) [Link] (12 responses)

Well yes but that's very explicitly outside of the threat model. If you have access to the signing key, then you are the owner of the system, and in this threat model it means what do you is trusted by definition.

Escalating from root to kernel

Posted May 31, 2026 14:46 UTC (Sun) by farnz (subscriber, #17727) [Link] (11 responses)

Yes, but it also means that we will never completely close off the ability for root to get kernel privileges - escalation from root to kernel is implicitly permitted by the fact of owning the system, and thus (to go back to the original comment that started this chain) "a root process should not be able to escalate into kernel domain" is not ever going to be true.

A root process without access to the signing key will not be able to escalate, but a root process with access to the signing key absolutely can, and will.

Escalating from root to kernel

Posted May 31, 2026 15:16 UTC (Sun) by mb (subscriber, #50428) [Link] (10 responses)

I'm not sure what your point it.
By the same reasoning you could say: See, root will never be locked down, because you can run without lockdown.
That's obviously true.

The important part is:
It must be made **possible** to configure the system in such a way that root does not automatically have kernel privileges.
We are actually not that far away from that goal. The module loading problem can be solved with signing or by disabling module loading or maybe some other methods today.

What cannot easily be solved by an administrator today is that some filesystems are still not safe against malicious images. There are multiple possible ways to get to a solution for this, like mandatory FUSE implementations or implementations in safe languages. But it requires people to acknowledge the problem first. Which I'm not so sure whether it is done today.

Activities for making Linux safe against malicious root or even malicious hardware (to some degree) are ongoing and I very much welcome that. I currently see that AI tools help with that. Patches are currently being merged to fix security vulnerabilities in old drivers that nobody would spend much of their human time on. Which is a good thing in general. Maybe we can see something like this for filesystems, too?

Escalating from root to kernel

Posted May 31, 2026 15:21 UTC (Sun) by farnz (subscriber, #17727) [Link] (9 responses)

My point is that the idea that it is a security problem if root processes can escalate to kernel privileges is, on Linux, a false statement. Some root processes will be able to escalate to kernel privileges, by definition, because in order to prevent that, I have to have a sufficiently locked down system that the system's apparent owner is prevented from exercising control of the system.

Instead, you need nuance; the system owner will always be able to use a root process to escalate to kernel privileges (by design of the system), but it should be possible to prevent people who are not the system's owner from escalating their privilege level without permission from the system owner. That's a very different statement, and is manageable in a way that "root cannot obtain kernel-level privileges is not".

Escalating from root to kernel

Posted May 31, 2026 15:46 UTC (Sun) by mb (subscriber, #50428) [Link] (8 responses)

Sure. It is a false statement, because lockdown doesn't really work in many (most?) cases.

>I have to have a sufficiently locked down system that the system's apparent owner is prevented from exercising control of the system.

It's not about that. It's about root processes not being able to escalate to kernel privileges without owner consent.

>but it should be possible to prevent people who are not the system's owner from escalating their privilege level without permission from the system owner.

Correct. And that includes processes running as root that do not need kernel privileges by design.

Escalating from root to kernel

Posted May 31, 2026 16:49 UTC (Sun) by farnz (subscriber, #17727) [Link] (7 responses)

The original version given was Apple's iOS lockdown, where no process can escalate to kernel privileges, with or without owner consent. That depends on Apple being the only entity with the keys to the kingdom, and being trusted to keep the device secure.

On Linux, however, locking down (as iOS has done) so that no root process can escalate to kernel privileges is not going to happen - a root process with owner consent must be able to escalate to kernel privileges, via either a LKM, or by changing the bootloader configuration to change the kernel to one they control, by design.

As a result, any security design that depends on "root processes cannot get kernel privileges" on Linux needs you to be aware of the exception "unless there is owner consent", as opposed to the iOS variant, where the exception is "unless Apple as kernel developer consents".

Escalating from root to kernel

Posted May 31, 2026 17:13 UTC (Sun) by mb (subscriber, #50428) [Link] (2 responses)

Sure. That's exactly what I said.

However, "lockdown so that root cannot get kernel privileges if there's no owner consent" doesn't work in many cases currently. **This** is the thing I am talking about.
I am **not** talking about locking the owner out of the system.
I'm talking about making defense in depth possible, if the owner needs it.

Changing our view about attack vectors in filesystems is an important part of that.

Escalating from root to kernel

Posted Jun 1, 2026 9:08 UTC (Mon) by farnz (subscriber, #17727) [Link] (1 responses)

If that's what you said, why did you tell me that I was wrong for saying exactly that?

Your original claim was that I was wrong for saying that there are always going to be exceptions to the hard rule that root processes must not, under any circumstances, be allowed to gain kernel privileges. That means that there's no exception for owner consent.

Escalating from root to kernel

Posted Jun 1, 2026 16:18 UTC (Mon) by mb (subscriber, #50428) [Link]

The difference is that we are talking about two different things.
You are apparently talking about Linux as a whole and I am talking about a particular instance running. For a given instance it should be possible to restrict root from being equal to kernel privileges. For some configurations we already have that today (Android probably).
For Linux as a whole that's not the case, of course. It must always be possible to opt out of that per admin choice. (or rather the other way around to opt-in to lockdown, of course)
So, it's not really disagreement, it's two different things. Both are true at the same time.

Escalating from root to kernel

Posted Jun 1, 2026 8:52 UTC (Mon) by intelfx (subscriber, #130118) [Link] (3 responses)

Huh?

I got a headache trying to parse your point (and I still don't see one).

> As a result, any security design that depends on "root processes cannot get kernel privileges" on Linux needs you to be aware of the exception "unless there is owner consent", as opposed to the iOS variant, where the exception is "unless Apple as kernel developer consents".

You are describing a distinction without a difference. With Apple, the entity with the keys (Apple) is the owner and escalation may happen with its consent. With Linux, the entity with the keys is the owner (maybe local admin, maybe not) and escalation may happen with its consent. Your point?

Escalating from root to kernel

Posted Jun 1, 2026 9:06 UTC (Mon) by farnz (subscriber, #17727) [Link] (2 responses)

No - the owner is the legitimate purchaser of the device. Apple reserve, as OS developer, privileges that the device owner is not permitted to have (kernel-level access).

As a result, on an Apple system, there is a reason why a device owner cannot run a process that can get kernel privileges - Apple prohibit you from having kernel privileges on your device that you purchased from them. On Linux, it's more nuanced; the owner of the device is permitted to replace any part of the system, including the kernel, and thus you have to be aware that a subset of root processes are always going to be allowed to elevate themselves to kernel privileges.

In other words, on iOS, it's a bug if you can change the bootloader configuration (at all), or load a kernel module that you wrote (at all). On Linux, it's only a bug in some cases, and in other cases, that's the system as designed.

Escalating from root to kernel

Posted Jun 1, 2026 10:01 UTC (Mon) by intelfx (subscriber, #130118) [Link] (1 responses)

> No - the owner is the legitimate purchaser of the device. Apple reserve, as OS developer, privileges that the device owner is not permitted to have (kernel-level access).

Therefore Apple is the "platform owner", which is the only owner that matters (and, if we're frank, _is_ the entity that most closely represents the true philosophical owner). The notion of legal ownership of a product is only vaguely related.

Escalating from root to kernel

Posted Jun 1, 2026 12:14 UTC (Mon) by taladar (subscriber, #68407) [Link]

I think the point was more that on Linux the entire problem is a lot more complex because it doesn't have a single platform owner who decides all the low level details and prevents everyone else from making any changes, including the legal owner of the device.

Only global root can mount

Posted May 29, 2026 16:35 UTC (Fri) by DemiMarie (subscriber, #164188) [Link]

FYI, image-backed filesystems cannot be mounted by container root. Only global root can do that.

Specifically, Linux checks for CAP_SYS_ADMIN in the initial user namespace.

Second-class fs

Posted May 30, 2026 16:41 UTC (Sat) by rfunk (subscriber, #4054) [Link]

Anyone who is setting up a machine that they consider somehow special-purpose gets to a point of choosing a file system, and then quickly wishes for an indication of what’s recommended (beyond the obvious ext4) and what’s deprecated. I think a lot of people would appreciate having at least a deprecation indicator.


Copyright © 2026, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds