beenull/moby
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

seccomp: block io_uring_* syscalls in default profile

Browse source 
This syncs the seccomp profile with changes made to containerd's default
profile in [1].

The original containerd issue and PR mention:

> Security experts generally believe io_uring to be unsafe. In fact
> Google ChromeOS and Android have turned it off, plus all Google
> production servers turn it off. Based on the blog published by Google
> below it seems like a bunch of vulnerabilities related to io_uring can
> be exploited to breakout of the container.
>
> [2]
>
> Other security reaserchers also hold this opinion: see [3] for a
> blackhat presentation on io_uring exploits.

For the record, these syscalls were added to the allowlist in [4].

[1]: a48ddf4a20
[2]: https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html
[3]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Lin-bad_io_uring.pdf
[4]: https://github.com/moby/moby/pull/39415

Signed-off-by: Albin Kerouanton <albinker@gmail.com>
This commit is contained in:
Albin Kerouanton 2023-11-02 18:47:55 +01:00
parent f44b085da6
commit 891241e7e7
No known key found for this signature in database
GPG key ID: 630B8E1DCBDB1864
2 changed files with 0 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
profiles/seccomp/default.json
View file

@ -183,9 +183,6 @@
"ioprio_set", "ioprio_set",
"io_setup", "io_setup",
"io_submit", "io_submit",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"ipc", "ipc",
"kill", "kill",
"landlock_add_rule", "landlock_add_rule",

3
profiles/seccomp/default_linux.go
View file

@ -175,9 +175,6 @@ func DefaultProfile() *Seccomp {
"ioprio_set", "ioprio_set",
"io_setup", "io_setup",
"io_submit", "io_submit",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"ipc", "ipc",
"kill", "kill",
"landlock_add_rule", "landlock_add_rule",