From 891241e7e74d4aae6de5f6125574eb994f25e169 Mon Sep 17 00:00:00 2001 From: Albin Kerouanton Date: Thu, 2 Nov 2023 18:47:55 +0100 Subject: [PATCH] seccomp: block io_uring_* syscalls in default profile This syncs the seccomp profile with changes made to containerd's default profile in [1]. The original containerd issue and PR mention: > Security experts generally believe io_uring to be unsafe. In fact > Google ChromeOS and Android have turned it off, plus all Google > production servers turn it off. Based on the blog published by Google > below it seems like a bunch of vulnerabilities related to io_uring can > be exploited to breakout of the container. > > [2] > > Other security reaserchers also hold this opinion: see [3] for a > blackhat presentation on io_uring exploits. For the record, these syscalls were added to the allowlist in [4]. [1]: https://github.com/containerd/containerd/commit/a48ddf4a208b24eadea82f0eac62e236f2acf004 [2]: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html [3]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Lin-bad_io_uring.pdf [4]: https://github.com/moby/moby/pull/39415 Signed-off-by: Albin Kerouanton --- profiles/seccomp/default.json | 3 --- profiles/seccomp/default_linux.go | 3 --- 2 files changed, 6 deletions(-) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index cf785ef2c0..c6d82f668b 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -183,9 +183,6 @@ "ioprio_set", "io_setup", "io_submit", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", "ipc", "kill", "landlock_add_rule", diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index c9ee041677..d2f7d5653a 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -175,9 +175,6 @@ func DefaultProfile() *Seccomp { "ioprio_set", "io_setup", "io_submit", - "io_uring_enter", - "io_uring_register", - "io_uring_setup", "ipc", "kill", "landlock_add_rule",