[PATCH 0/1] Add a sysctl to disable io_uring system-wide

From: Matteo Rizzo
Date: Tue Jun 27 2023 - 08:01:24 EST

Next message: Matteo Rizzo: "[PATCH 1/1] Add a new sysctl to disable io_uring system-wide"
Previous message: Simon Horman: "Re: [PATCH net 2/2] net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT"
Next in thread: Matteo Rizzo: "[PATCH 1/1] Add a new sysctl to disable io_uring system-wide"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Over the last few years we've seen many critical vulnerabilities in
io_uring (https://goo.gle/limit-iouring) which could be exploited by
an unprivileged process. There is currently no way to disable io_uring
system-wide except by compiling it out of the kernel entirely. The only
way to prevent a process from accessing io_uring is to use a seccomp
filter, but seccomp cannot be applied system-wide. This patch introduces a
new sysctl which disables the creation of new io_uring instances
system-wide. This gives system admins a way to reduce the kernel's attack
surface on systems where io_uring is not used.

Matteo Rizzo (1):
Add a new sysctl to disable io_uring system-wide

Documentation/admin-guide/sysctl/kernel.rst | 14 ++++++++++++
io_uring/io_uring.c | 24 +++++++++++++++++++++
2 files changed, 38 insertions(+)

--
2.41.0.162.gfafddb0af9-goog

Next message: Matteo Rizzo: "[PATCH 1/1] Add a new sysctl to disable io_uring system-wide"
Previous message: Simon Horman: "Re: [PATCH net 2/2] net: dsa: tag_sja1105: always prefer source port information from INCL_SRCPT"
Next in thread: Matteo Rizzo: "[PATCH 1/1] Add a new sysctl to disable io_uring system-wide"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]