Filesystem drivers in Rust

Posted Dec 17, 2025 8:09 UTC (Wed) by koflerdavid (subscriber, #176408)
In reply to: Filesystem drivers in Rust by hailfinger
Parent article: The state of the kernel Rust experiment

Maliciously corrupted file systems are a significant attack vector that the kernel is only insufficiently protected from. There is a reason why mount privileges are part of root.

Writing file systems is already complicated enough without having to worry about it being malicious. And as we have seen from the security hole in a Rust tar library, merely using Rust is not the solution.

to post comments

Filesystem drivers in Rust

Posted Dec 17, 2025 9:07 UTC (Wed) by taladar (subscriber, #68407) [Link] (1 responses)

Rust implementations can indeed not protect you from bad, ambiguous standards like those two size fields in the tar one. Nor can it protect you from logic bugs.

That does not mean that it doesn't help you find those by saving you effort on all the other security issues though.

Filesystem drivers in Rust

Posted Dec 17, 2025 10:37 UTC (Wed) by koflerdavid (subscriber, #176408) [Link]

Being safe from malicious file systems comes from conscious design decisions that follow from recognizing file systems as an attack vector. Ambiguity is not magically absent from file systems either, especially if those with multiple implementations. Rust can help with these things of course, but overpromising on that is not a good look.