From: Jens Axboe <axboe@kernel.dk>
To: io-uring@vger.kernel.org
Cc: brauner@kernel.org, jannh@google.com, kees@kernel.org,
linux-kernel@vger.kernel.org
Subject: [PATCHSET v6] Inherited restrictions and BPF filtering for io_uring
Date: Mon, 19 Jan 2026 16:54:23 -0700 [thread overview]
Message-ID: <20260119235456.1722452-1-axboe@kernel.dk> (raw)
Hi,
Followup to v5 here:
https://lore.kernel.org/io-uring/20260118172328.1067592-1-axboe@kernel.dk/
Mostly just addressing a bit of feedback, feature wise this is all the
same as before. For details on the patches, see the v5 posting linked
above. For details on the changes, see the changes section below.
Kernel branch can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/log/?h=io_uring-bpf-restrictions.3
and a liburing branch with support helpers, man page, and a fairly
substantial test case can be found here:
https://git.kernel.org/pub/scm/linux/kernel/git/axboe/liburing.git/log/?h=bpf-restrictions
Feedback welcome!
Changes since v5:
- Disallow setting or appending filters for no_new_privs, unless the
user is also CAP_SYS_ADMIN (Aleksa)
- Add support for filtering of IORING_OP_OPENAT/OPENAT2, in terms of
being able to deny certain resolve or creation flags.
- Change layout of io_uring_bpf_ctx slightly, for easier/faster clearing
of unused members.
- Expand liburing test cases to cover both the no_new_privs situation,
and testing the OPENAT/OPENAT2 filters.
include/linux/io_uring.h | 14 +-
include/linux/io_uring_types.h | 13 +
include/linux/sched.h | 1 +
include/uapi/linux/io_uring.h | 10 +
include/uapi/linux/io_uring/bpf_filter.h | 62 ++++
io_uring/Kconfig | 5 +
io_uring/Makefile | 1 +
io_uring/bpf_filter.c | 436 +++++++++++++++++++++++
io_uring/bpf_filter.h | 48 +++
io_uring/io_uring.c | 48 +++
io_uring/io_uring.h | 1 +
io_uring/net.c | 9 +
io_uring/net.h | 6 +
io_uring/openclose.c | 9 +
io_uring/openclose.h | 3 +
io_uring/register.c | 91 +++++
io_uring/tctx.c | 42 ++-
kernel/fork.c | 5 +
18 files changed, 794 insertions(+), 10 deletions(-)
--
Jens Axboe
next reply other threads:[~2026-01-19 23:55 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-19 23:54 Jens Axboe [this message]
2026-01-19 23:54 ` [PATCH 1/7] io_uring: add support for BPF filtering for opcode restrictions Jens Axboe
2026-01-27 10:06 ` Christian Brauner
2026-01-27 16:41 ` Jens Axboe
2026-01-19 23:54 ` [PATCH 2/7] io_uring/net: allow filtering on IORING_OP_SOCKET data Jens Axboe
2026-01-19 23:54 ` [PATCH 3/7] io_uring/bpf_filter: allow filtering on contents of struct open_how Jens Axboe
2026-01-27 9:33 ` Christian Brauner
2026-01-19 23:54 ` [PATCH 4/7] io_uring/bpf_filter: cache lookup table in ctx->bpf_filters Jens Axboe
2026-01-27 9:33 ` Christian Brauner
2026-01-19 23:54 ` [PATCH 5/7] io_uring/bpf_filter: add ref counts to struct io_bpf_filter Jens Axboe
2026-01-27 9:34 ` Christian Brauner
2026-01-19 23:54 ` [PATCH 6/7] io_uring: add task fork hook Jens Axboe
2026-01-27 10:07 ` Christian Brauner
2026-01-19 23:54 ` [PATCH 7/7] io_uring: allow registration of per-task restrictions Jens Axboe
2026-01-22 3:37 ` [PATCHSET v6] Inherited restrictions and BPF filtering for io_uring Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260119235456.1722452-1-axboe@kernel.dk \
--to=axboe@kernel.dk \
--cc=brauner@kernel.org \
--cc=io-uring@vger.kernel.org \
--cc=jannh@google.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox