public inbox for [email protected]
 help / color / mirror / Atom feed
* [PATCH 0/1] Add a sysctl to disable io_uring system-wide
@ 2023-06-27 12:00 Matteo Rizzo
  2023-06-27 12:00 ` [PATCH 1/1] Add a new " Matteo Rizzo
  0 siblings, 1 reply; 11+ messages in thread
From: Matteo Rizzo @ 2023-06-27 12:00 UTC (permalink / raw)
  To: linux-doc, linux-kernel, io-uring
  Cc: matteorizzo, jordyzomer, evn, poprdi, corbet, axboe, asml.silence,
	akpm, keescook, rostedt, dave.hansen, ribalda, chenhuacai, steve,
	gpiccoli, ldufour

Over the last few years we've seen many critical vulnerabilities in
io_uring (https://goo.gle/limit-iouring) which could be exploited by
an unprivileged process. There is currently no way to disable io_uring
system-wide except by compiling it out of the kernel entirely. The only
way to prevent a process from accessing io_uring is to use a seccomp
filter, but seccomp cannot be applied system-wide. This patch introduces a
new sysctl which disables the creation of new io_uring instances
system-wide. This gives system admins a way to reduce the kernel's attack
surface on systems where io_uring is not used.


Matteo Rizzo (1):
  Add a new sysctl to disable io_uring system-wide

 Documentation/admin-guide/sysctl/kernel.rst | 14 ++++++++++++
 io_uring/io_uring.c                         | 24 +++++++++++++++++++++
 2 files changed, 38 insertions(+)

-- 
2.41.0.162.gfafddb0af9-goog


^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2023-06-28 16:00 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-06-27 12:00 [PATCH 0/1] Add a sysctl to disable io_uring system-wide Matteo Rizzo
2023-06-27 12:00 ` [PATCH 1/1] Add a new " Matteo Rizzo
2023-06-27 16:23   ` Randy Dunlap
2023-06-27 17:10   ` Bart Van Assche
2023-06-27 18:15     ` Matteo Rizzo
2023-06-28 11:36       ` Ricardo Ribalda
2023-06-28 15:12         ` Matteo Rizzo
2023-06-28 15:59           ` Jeff Moyer
2023-06-28 15:59           ` Ricardo Ribalda
2023-06-28 13:50   ` Gabriel Krisman Bertazi
2023-06-28 15:59     ` Jeff Moyer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox