Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/2227010/?format=api
{ "id": 2227010, "url": "http://patchwork.ozlabs.org/api/patches/2227010/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-ext4/patch/20260422233255.GJ7739@frogsfrogsfrogs/", "project": { "id": 8, "url": "http://patchwork.ozlabs.org/api/projects/8/?format=api", "name": "Linux ext4 filesystem development", "link_name": "linux-ext4", "list_id": "linux-ext4.vger.kernel.org", "list_email": "linux-ext4@vger.kernel.org", "web_url": null, "scm_url": null, "webscm_url": null, "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20260422233255.GJ7739@frogsfrogsfrogs>", "list_archive_url": null, "date": "2026-04-22T23:32:55", "name": "[RFC,4/4] httpdirfs: enable fuse systemd service mode", "commit_ref": null, "pull_url": null, "state": "not-applicable", "archived": false, "hash": "c2a696fed0e81bc5ba5dde37d13a3d6f35faeaf9", "submitter": { "id": 77032, "url": "http://patchwork.ozlabs.org/api/people/77032/?format=api", "name": "Darrick J. Wong", "email": "djwong@kernel.org" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/linux-ext4/patch/20260422233255.GJ7739@frogsfrogsfrogs/mbox/", "series": [ { "id": 501128, "url": "http://patchwork.ozlabs.org/api/series/501128/?format=api", "web_url": "http://patchwork.ozlabs.org/project/linux-ext4/list/?series=501128", "date": "2026-04-22T23:29:50", "name": "[RFC,1/4] fusefatfs: enable fuse systemd service mode", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/501128/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/2227010/comments/", "check": "pending", "checks": "http://patchwork.ozlabs.org/api/patches/2227010/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "\n <SRS0=nkkv=CV=vger.kernel.org=linux-ext4+bounces-16037-patchwork-incoming=ozlabs.org@ozlabs.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "linux-ext4@vger.kernel.org" ], "Delivered-To": [ "patchwork-incoming@legolas.ozlabs.org", "patchwork-incoming@ozlabs.org" ], "Authentication-Results": [ "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=fRCNlYox;\n\tdkim-atps=neutral", "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=ozlabs.org\n (client-ip=150.107.74.76; helo=mail.ozlabs.org;\n envelope-from=srs0=nkkv=cv=vger.kernel.org=linux-ext4+bounces-16037-patchwork-incoming=ozlabs.org@ozlabs.org;\n receiver=patchwork.ozlabs.org)", "gandalf.ozlabs.org;\n arc=pass smtp.remote-ip=172.234.253.10 arc.chain=subspace.kernel.org", "gandalf.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=kernel.org", "gandalf.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=fRCNlYox;\n\tdkim-atps=neutral", "gandalf.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-16037-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org)", "smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=\"fRCNlYox\"", "smtp.subspace.kernel.org;\n arc=none smtp.client-ip=10.30.226.201" ], "Received": [ "from mail.ozlabs.org (gandalf.ozlabs.org [150.107.74.76])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g1FxC3T2jz1y2d\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 23 Apr 2026 09:36:47 +1000 (AEST)", "from mail.ozlabs.org (mail.ozlabs.org [IPv6:2404:9400:2221:ea00::3])\n\tby gandalf.ozlabs.org (Postfix) with ESMTP id 4g1FxC2xF8z4wKB\n\tfor <incoming@patchwork.ozlabs.org>; Thu, 23 Apr 2026 09:36:47 +1000 (AEST)", "by gandalf.ozlabs.org (Postfix)\n\tid 4g1FxC2rqjz4wKP; Thu, 23 Apr 2026 09:36:47 +1000 (AEST)", "from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby gandalf.ozlabs.org (Postfix) with ESMTPS id 4g1Fx76ysvz4wKB\n\tfor <patchwork-incoming@ozlabs.org>; Thu, 23 Apr 2026 09:36:43 +1000 (AEST)", "from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 3987230AAFA4\n\tfor <patchwork-incoming@ozlabs.org>; Wed, 22 Apr 2026 23:32:57 +0000 (UTC)", "from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 8EA74342173;\n\tWed, 22 Apr 2026 23:32:56 +0000 (UTC)", "from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org\n [10.30.226.201])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 50A1F1FBEBC;\n\tWed, 22 Apr 2026 23:32:56 +0000 (UTC)", "by smtp.kernel.org (Postfix) with ESMTPSA id 2121DC19425;\n\tWed, 22 Apr 2026 23:32:56 +0000 (UTC)" ], "ARC-Seal": [ "i=2; a=rsa-sha256; d=ozlabs.org; s=201707; t=1776901007; cv=pass;\n\tb=llam12orQhBBNiacoBmIt+ybOafU7NOCrNKpRVrH9yGv6Skr6t/nhBal8NzpZLPP9JAVp+DD/gAj4fyvnwMxmppMjeULnUkla5ZUPH0TQ7xzofX2V+i5hFAwPuaz+rWFK5Fr+oXVKe3Gwv0P2gazn6PRa6ZUkMw0gaS6MA1K1Xq0JvI/nahIyhEzu/6x9R+3/zxPaVOGbfH8H0Dxcrqv6IoutmLUtuPmx99io7qQ7NhByM4NefAFEU+tjvxknR/dXZa+aEXhGnrTSeKxUtJDbImGhbsyI01/kD4wDVG6ERj4FBdN9JpUJDtodm4g+43Z1e7F0oSrz2J9y4C7dK+/OQ==", "i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1776900776; cv=none;\n b=JYSdFjNJyBbdhLzNtHRLYNJKt9hhukY3sJ1+EBA8sVRC48cPLBEvSriDbXpIga73isrzPo+eiYOCeRkHuZFyRsy5GQWPyt2YMk6z+fHcnF8fWIZV7G4U9oAnZp/HU9gn9OVc0iknQCl4pnHw0baqfuOHjlR/hq2V6xReHHVSxE8=" ], "ARC-Message-Signature": [ "i=2; a=rsa-sha256; d=ozlabs.org; s=201707;\n\tt=1776901007; c=relaxed/relaxed;\n\tbh=VDYRYnhUJ0poa94sOeR8n2oFJzNPif49dWi+4pxh/sU=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=Ovup/CSnCtQL6WQiJLV0qhx/K4MsrEZEJzaR4hKwPZdILjrAsEUUC1LXwOH8iYdxB4zl0/Fq+ifY3FmapH6lZ6rvKZ4kvysBFdjGgbYICjeqOXJWCs1oxEyHqaOojasNz4OFbLZTMv+MRA1D0vnE6kOjwan8Brxk+CazhBjNELkyjKFLFbvVBCkQbahBa8/y+gyhpLEJTafhVKJJciDmVsjTGvs5H51xExamwGRvd6Zc9AcjF4bb9InawbrcBncPSzIcMNTK7NhxMdIvbIEK11MHP+O/YX5SoeB+T0CdhUWvUMT/y54QMCchaeL3PShaDe2VevwpjYY1Xf9QuSiJQw==", "i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1776900776; c=relaxed/simple;\n\tbh=Mr4XuetFvL1CpNi8BM91LvuBxo/gWXceGxVA4B3PsI0=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=qq64Dny7x2DKxAv8beJZnwgJW+pnt0fIOVeECegeHWrmDxu/TkMlj2Wu/ltABc+73UkR3wM3krjPysvfv5vw66g4xeDnQ831ig9kJ0/EKC0qZ2zOXjOELezAQ1nh/wHjQsijUnnKLA0CWTE8qPLoL5kxnpU4iaMPaEjC88sqMWs=" ], "ARC-Authentication-Results": [ "i=2; gandalf.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=kernel.org;\n dkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=fRCNlYox; dkim-atps=neutral;\n spf=pass (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=linux-ext4+bounces-16037-patchwork-incoming=ozlabs.org@vger.kernel.org;\n receiver=ozlabs.org) smtp.mailfrom=vger.kernel.org", "i=1; smtp.subspace.kernel.org;\n dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org\n header.b=fRCNlYox; arc=none smtp.client-ip=10.30.226.201" ], "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1776900776;\n\tbh=Mr4XuetFvL1CpNi8BM91LvuBxo/gWXceGxVA4B3PsI0=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=fRCNlYoxYkytcGj6vzmuGHyTox/PpJqr3oNevZqEhAbyygAt4nQvNIcSqlch1LOUe\n\t CVTRZAIi+NpERhk3QPk+sT9UBdIgyCAy7ZUN2J3vrvjeQE49OZXMZo5K1E2jOshngB\n\t o0dU0jl/8b3u5mR8SzRHwNLiyjI6aXAn0awEzOEh8+VBousAdhVOgZf+R9jgKe5dt/\n\t hipVStbUwx9ZTiBJIPNmWSNWiO2Fgy1kdKVz2u8CJvSmFcBJ76XjeE0mW7P0+1QGI8\n\t 1uD50xTDjBpiybP0/pvjmt8yMWmA9uvplnt3t1YyLU67A7sebVRnZrDsT0t6QXPtwa\n\t KRAs2TaaacYHw==", "Date": "Wed, 22 Apr 2026 16:32:55 -0700", "From": "\"Darrick J. Wong\" <djwong@kernel.org>", "To": "linux-fsdevel <linux-fsdevel@vger.kernel.org>,\n\tlinux-ext4 <linux-ext4@vger.kernel.org>,\n\tfuse-devel <fuse-devel@lists.linux.dev>", "Cc": "Miklos Szeredi <miklos@szeredi.hu>, Bernd Schubert <bernd@bsbernd.com>,\n\tJoanne Koong <joannelkoong@gmail.com>,\n\tTheodore Ts'o <tytso@mit.edu>, Neal Gompa <neal@gompa.dev>,\n\tAmir Goldstein <amir73il@gmail.com>,\n\tChristian Brauner <brauner@kernel.org>, demiobenour@gmail.com", "Subject": "[RFC PATCH 4/4] httpdirfs: enable fuse systemd service mode", "Message-ID": "<20260422233255.GJ7739@frogsfrogsfrogs>", "References": "<20260422231518.GA7717@frogsfrogsfrogs>", "Precedence": "bulk", "X-Mailing-List": "linux-ext4@vger.kernel.org", "List-Id": "<linux-ext4.vger.kernel.org>", "List-Subscribe": "<mailto:linux-ext4+subscribe@vger.kernel.org>", "List-Unsubscribe": "<mailto:linux-ext4+unsubscribe@vger.kernel.org>", "MIME-Version": "1.0", "Content-Type": "text/plain; charset=us-ascii", "Content-Disposition": "inline", "In-Reply-To": "<20260422231518.GA7717@frogsfrogsfrogs>", "X-Spam-Status": "No, score=-1.2 required=5.0 tests=ARC_SIGNED,ARC_VALID,\n\tDKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DMARC_PASS,\n\tMAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=disabled\n\tversion=4.0.1", "X-Spam-Checker-Version": "SpamAssassin 4.0.1 (2024-03-25) on gandalf.ozlabs.org" }, "content": "From: Darrick J. Wong <djwong@kernel.org>\n\nEnable use of httpdirfs as a contained systemd service.\n\nSigned-off-by: Darrick J. Wong <djwong@kernel.org>\n---\n src/fuse_local.h | 2 +\n meson.build | 26 ++++++++++++\n src/fuse_local.c | 62 ++++++++++++++++++++++++++++\n src/httpdirfs.socket.in | 16 +++++++\n src/httpdirfs@.service.in | 99 +++++++++++++++++++++++++++++++++++++++++++++\n src/main.c | 7 +++\n 6 files changed, 210 insertions(+), 2 deletions(-)\n create mode 100644 src/httpdirfs.socket.in\n create mode 100644 src/httpdirfs@.service.in", "diff": "diff --git a/src/fuse_local.h b/src/fuse_local.h\nindex 9f459c1e1a8151..69157cd3fa7883 100644\n--- a/src/fuse_local.h\n+++ b/src/fuse_local.h\n@@ -9,4 +9,6 @@\n /* Initialise fuse */\n int fuse_local_init(int argc, char **argv);\n \n+int fuse_local_main(int argc, char *argv[], int (*main)(int argc, char **argv));\n+\n #endif\ndiff --git a/meson.build b/meson.build\nindex 431a1547b20bfc..5d7c4721bb756c 100644\n--- a/meson.build\n+++ b/meson.build\n@@ -41,6 +41,32 @@ expat_dep = dependency('expat')\n openssl_dep = dependency('openssl')\n execinfo_dep = cc.find_library('execinfo', required: false)\n \n+# Check for systemd support\n+systemd_dep = dependency('systemd', required: false)\n+if systemd_dep.found()\n+ systemd_system_unit_dir = systemd_dep.get_variable(pkgconfig: 'systemd_system_unit_dir', default_value: '')\n+ libfuse_service_socket_dir = fuse_dep.get_variable(pkgconfig: 'service_socket_dir', default_value: '')\n+ libfuse_service_socket_perms = fuse_dep.get_variable(pkgconfig: 'service_socket_perms', default_value: '')\n+endif\n+\n+private_cfg = configuration_data()\n+if systemd_system_unit_dir == '' or libfuse_service_socket_dir == ''\n+ warning('systemd service support will not be built')\n+else\n+ private_cfg.set('SYSTEMD_SYSTEM_UNIT_DIR', systemd_system_unit_dir)\n+ private_cfg.set('LIBFUSE_SERVICE_SOCKET_DIR', libfuse_service_socket_dir)\n+ private_cfg.set('LIBFUSE_SERVICE_SOCKET_PERMS', libfuse_service_socket_perms)\n+ private_cfg.set('BINDIR', get_option('bindir'))\n+ c_args += [ '-DHAVE_HTTPDIR_FUSE_SERVICE' ]\n+\n+ configure_file(input: 'src/httpdirfs@.service.in',\n+ output: 'httpdirfs@.service',\n+ configuration: private_cfg)\n+ configure_file(input: 'src/httpdirfs.socket.in',\n+ output: 'httpdirfs.socket',\n+ configuration: private_cfg)\n+endif\n+\n httpdirfs = executable('httpdirfs',\n srcs,\n dependencies : [gumbo_dep, libcurl_dep, fuse_dep, uuid_dep, expat_dep, openssl_dep, execinfo_dep],\ndiff --git a/src/fuse_local.c b/src/fuse_local.c\nindex ae9778f84e6ef3..c373bd67214335 100644\n--- a/src/fuse_local.c\n+++ b/src/fuse_local.c\n@@ -6,13 +6,58 @@\n /*\n * must be included before including <fuse.h>\n */\n-#define FUSE_USE_VERSION 30\n+#define FUSE_USE_VERSION 319\n #include <fuse.h>\n \n #include <errno.h>\n #include <string.h>\n #include <unistd.h>\n \n+#ifdef HAVE_HTTPDIR_FUSE_SERVICE\n+# include <sys/mount.h>\n+# include <fuse_service.h>\n+\n+static struct fuse_service *service;\n+\n+static inline bool fs_is_service(void)\n+{\n+\treturn fuse_service_accepted(service);\n+}\n+\n+static int fs_service_connect(struct fuse_args *args)\n+{\n+\tint ret;\n+\n+\tret = fuse_service_accept(&service);\n+\tif (ret)\n+\t\treturn ret;\n+\n+\tif (fuse_service_accepted(service))\n+\t\treturn fuse_service_append_args(service, args);\n+\n+\treturn 0;\n+}\n+\n+static int fs_service_run(int argc, char **argv,\n+\t\t\t const struct fuse_operations *fs_oper)\n+{\n+\tstruct fuse_args args = FUSE_ARGS_INIT(argc, argv);\n+\tint exitcode;\n+\n+\tfuse_service_expect_mount_format(service, S_IFDIR);\n+\texitcode = fuse_service_main(service, &args, fs_oper, NULL);\n+\n+\tfuse_service_send_goodbye(service, exitcode);\n+\tfuse_service_destroy(&service);\n+\n+\treturn fuse_service_exit(exitcode);\n+}\n+#else\n+# define fs_is_service(...)\t\t(false)\n+# define fs_service_connect(...)\t(0)\n+# define fs_service_run(...)\t\t(1)\n+#endif /* HAVE_HTTPDIR_FUSE_SERVICE */\n+\n static void *fs_init(struct fuse_conn_info *conn, struct fuse_config *cfg)\n {\n (void) conn;\n@@ -183,5 +228,20 @@ static struct fuse_operations fs_oper = {\n \n int fuse_local_init(int argc, char **argv)\n {\n+ if (fs_is_service())\n+ return fs_service_run(argc, argv, &fs_oper);\n+\n return fuse_main(argc, argv, &fs_oper, NULL);\n }\n+\n+int fuse_local_main(int argc, char *argv[], int (*main)(int argc, char **argv))\n+{\n+\tstruct fuse_args args = FUSE_ARGS_INIT(argc, argv);\n+\tint ret;\n+\n+\tret = fs_service_connect(&args);\n+\tif (ret)\n+\t\treturn ret;\n+\n+\treturn main(args.argc, args.argv);\n+}\ndiff --git a/src/httpdirfs.socket.in b/src/httpdirfs.socket.in\nnew file mode 100644\nindex 00000000000000..ae587646ad707e\n--- /dev/null\n+++ b/src/httpdirfs.socket.in\n@@ -0,0 +1,16 @@\n+# SPDX-License-Identifier: GPL-2.0-or-later\n+#\n+# Copyright (C) 2026 Oracle. All Rights Reserved.\n+# Author: Darrick J. Wong <djwong@kernel.org>\n+[Unit]\n+Description=Socket for httpdirfs Service\n+\n+[Socket]\n+ListenSequentialPacket=@LIBFUSE_SERVICE_SOCKET_DIR@/http\n+ListenSequentialPacket=@LIBFUSE_SERVICE_SOCKET_DIR@/https\n+Accept=yes\n+SocketMode=@LIBFUSE_SERVICE_SOCKET_PERMS@\n+RemoveOnStop=yes\n+\n+[Install]\n+WantedBy=sockets.target\ndiff --git a/src/httpdirfs@.service.in b/src/httpdirfs@.service.in\nnew file mode 100644\nindex 00000000000000..d808feca3238d7\n--- /dev/null\n+++ b/src/httpdirfs@.service.in\n@@ -0,0 +1,99 @@\n+# SPDX-License-Identifier: GPL-2.0-or-later\n+#\n+# Copyright (C) 2026 Oracle. All Rights Reserved.\n+# Author: Darrick J. Wong <djwong@kernel.org>\n+[Unit]\n+Description=httpdirfs Service\n+\n+# Don't leave failed units behind, systemd does not clean them up!\n+CollectMode=inactive-or-failed\n+\n+[Service]\n+Type=exec\n+ExecStart=/@BINDIR@/httpdirfs\n+\n+# Try to capture core dumps\n+LimitCORE=infinity\n+\n+SyslogIdentifier=%N\n+\n+# No realtime CPU scheduling\n+RestrictRealtime=true\n+\n+# Don't let us see anything in the regular system, and don't run as root\n+DynamicUser=true\n+ProtectSystem=strict\n+ProtectHome=true\n+PrivateTmp=true\n+PrivateDevices=true\n+PrivateUsers=true\n+\n+# Some network access\n+ProtectHostname=true\n+\n+# Don't let the program mess with the kernel configuration at all\n+ProtectKernelLogs=true\n+ProtectKernelModules=true\n+ProtectKernelTunables=true\n+ProtectControlGroups=true\n+ProtectProc=invisible\n+RestrictNamespaces=true\n+RestrictFileSystems=\n+\n+# Hide everything in /proc, even /proc/mounts\n+ProcSubset=pid\n+\n+# Only allow the default personality Linux\n+LockPersonality=true\n+\n+# No writable memory pages\n+MemoryDenyWriteExecute=true\n+\n+# Don't let our mounts leak out to the host\n+PrivateMounts=true\n+\n+# Restrict system calls to the native arch and only enough to get things going\n+SystemCallArchitectures=native\n+SystemCallFilter=@system-service\n+#SystemCallFilter=~@privileged\t# not sure why this breaks http??\n+SystemCallFilter=~@resources\n+\n+SystemCallFilter=~@clock\n+SystemCallFilter=~@cpu-emulation\n+SystemCallFilter=~@debug\n+SystemCallFilter=~@module\n+SystemCallFilter=~@reboot\n+SystemCallFilter=~@swap\n+\n+SystemCallFilter=~@mount\n+\n+# libfuse io_uring wants to pin cores and memory\n+SystemCallFilter=mbind\n+SystemCallFilter=sched_setaffinity\n+\n+# Leave a breadcrumb if we get whacked by the system call filter\n+SystemCallErrorNumber=EL3RST\n+\n+# Log to the kernel dmesg, just like an in-kernel ext4 driver\n+StandardOutput=append:/dev/ttyprintk\n+StandardError=append:/dev/ttyprintk\n+\n+# Run with no capabilities at all\n+CapabilityBoundingSet=\n+AmbientCapabilities=\n+NoNewPrivileges=true\n+\n+# fuse4fs doesn't create files\n+UMask=7777\n+\n+# No access to hardware /dev files at all\n+ProtectClock=true\n+DevicePolicy=closed\n+\n+# Don't mess with set[ug]id anything.\n+RestrictSUIDSGID=true\n+\n+# Don't let OOM kills of processes in this containment group kill the whole\n+# service, because we don't want filesystem drivers to go down.\n+OOMPolicy=continue\n+OOMScoreAdjust=-1000\ndiff --git a/src/main.c b/src/main.c\nindex c93162a9bf4129..4c23d4e5d4419f 100644\n--- a/src/main.c\n+++ b/src/main.c\n@@ -16,7 +16,7 @@ void parse_config_file(char ***argv, int *argc);\n \n static char *config_path = NULL;\n \n-int main(int argc, char **argv)\n+static int __main(int argc, char **argv)\n {\n /*\n * Automatically print help if not enough arguments are supplied\n@@ -114,6 +114,11 @@ activate Sonic mode.\\n\");\n return 0;\n }\n \n+int main(int argc, char *argv[])\n+{\n+\treturn fuse_local_main(argc, argv, __main);\n+}\n+\n static char *get_XDG_CONFIG_HOME(void)\n {\n const char *default_config_subdir = \"/.config\";\n", "prefixes": [ "RFC", "4/4" ] }