Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp17586135rwd; Tue, 27 Jun 2023 05:14:53 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6YQ7LFeQO3WB7bdXZWwEwp5HO0atdRc2ObKHfp3rCXOiHFYX1SF1KspSB8vVJuczlrvu9o X-Received: by 2002:a05:6830:12c5:b0:6b7:9a33:8580 with SMTP id a5-20020a05683012c500b006b79a338580mr2998383otq.30.1687868093676; Tue, 27 Jun 2023 05:14:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687868093; cv=none; d=google.com; s=arc-20160816; b=wQ638vHsmm+tPKj67Nlxqvm9ylCdM2tNzhqVQmARUwtsoXLl3QKa4hfMNBbY5d4K5m pB7pf0GljRlCrlacqwO9gC80fqyxqtwugSTcquVeOFgc9j310IUdwbPUhBHBCKDrhPCj r6+ViNJtLyAv7lMLBOI7vOni61AGy8bliK8/TT5pPO9hsTcl/gu3ewIBfALZXrS+qDVf VLDV4Oyy7i/22IW/7lfmVyg/dbuqaHo62m1t2Wugm45w3tyLit51KepldqyZju9s07Pp gidDLAQTXhzSItFY5tiI1NqZPkT1n7HsUCWzf3mUz/fTraWGZtwuu0n86cY7FtyNj6GF Z8/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date :dkim-signature; bh=omb5WPHKjIF19VjpQzIDwr44TOan0N70O5D7yB8S/xM=; fh=H2vRfsNEMhBeTL+1OLMblEyJvwlPcpktZW1IdWwF5vI=; b=BC5mdG8W6SRoJs2F6UKfKRgL6IJWxTpzWrBBsobsJ/GCIz8bJRpD3bPNPA4KwEBX3k tuQGYcl0eThgKsXKHoVw+d0QEapL8pABk6JCc38nGhy/W1nSEsJ13LhLBuuWdpbnsr6L v2EjlLGMrw80I1IbM/9agCGCZyMznE3/D3jX4cCR5QdiCYztr0nE5GiwyvqlZIDabmg5 WCRr5/fG6LHOSflbxSalYaPE8YO7Kj+XigUQP6tQdDy6OquyDO7L3PgS4PlFxkpy7gJA lbuJfHLlAMDDL2ykLg/bsq3U0ez2ZlQOdBuhQEmSgCJGR7xg28vZdYFONl1gPFgmSjZ+ L41A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=sgTrVNvk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 190-20020a6300c7000000b0051374678f95si6617510pga.808.2023.06.27.05.14.40; Tue, 27 Jun 2023 05:14:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=sgTrVNvk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231691AbjF0MBV (ORCPT + 99 others); Tue, 27 Jun 2023 08:01:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231669AbjF0MBT (ORCPT ); Tue, 27 Jun 2023 08:01:19 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED0CD10FC for ; Tue, 27 Jun 2023 05:01:17 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id a640c23a62f3a-98277fac2a1so329687066b.3 for ; Tue, 27 Jun 2023 05:01:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687867276; x=1690459276; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=omb5WPHKjIF19VjpQzIDwr44TOan0N70O5D7yB8S/xM=; b=sgTrVNvkO/s7GNIOFrnUhXqW1ZkkCVKfF86rogYZARyOrKzP19DbviI5F9if8TsIc1 oDAzqFfa0s+F+ZLOLwhOz9Ylgrn+qF+ZDOhYkhBrpIwJAtjYX+D1MpkAAlJVgDPVMf/X nQKI2fiAi0K0r3dAzJJgVFk0AV7Z+ztC2zFQG9b9TqEm6Tfn53XxL1uPWsxF2oVvzCXu Ea5AmggmgkwD1lrpV/t561g1NZgwHD47jQlB5B+EorEbaVeftVWW2m5I6WE3BaT7lOvm VE1McLhJxq2AIGHqsMjBZ1P0TSVEMVp/xH3nDyM+3l0+L/pTzzitphIOqaRQ4jY7Cx45 c4rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687867276; x=1690459276; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=omb5WPHKjIF19VjpQzIDwr44TOan0N70O5D7yB8S/xM=; b=QilYOKNpWfctFQdMPa9eqeOcypAc1dDhhsgVIp9wSl/MF1r7a2fWjcMpOOVTAKs8Du hBgGIEG2pPfJJZoA+iWc1AneKRQs0to9npLBnhOKX4cGJt4IJWZtLGchXl5hPI95DE2O mL6meAM5r5qAiROXs7gNVFJ//RnFkYAnLdstINC6kEs19CVLwBL+ZFOzZcS97c6V+xGl QUenF3kA00TgXA3qxzem396vSUdMGtXEIYjk5L/DwoDfWsnI/bG8mLuI5Ayr1JlRM0f1 UhjbyIqTVFAwhEh10Jd/BrXdhh1HtiSU5pkgH54grfMdDJQ12oPKayG0IZFAcXP9wNOG 5m/w== X-Gm-Message-State: AC+VfDxARd3a/judZG+IBwGK0eenxYmVGd2yeNiynBgBb/kDDNZ24xXy exu/pyktDn1++FB+JDlA4LAYt+4GkHgXY2WL9A== X-Received: from mr-cloudtop2.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:fb5]) (user=matteorizzo job=sendgmr) by 2002:a17:907:75d9:b0:98e:413a:477b with SMTP id jl25-20020a17090775d900b0098e413a477bmr1131845ejc.10.1687867276551; Tue, 27 Jun 2023 05:01:16 -0700 (PDT) Date: Tue, 27 Jun 2023 12:00:57 +0000 Mime-Version: 1.0 X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Message-ID: <20230627120058.2214509-1-matteorizzo@google.com> Subject: [PATCH 0/1] Add a sysctl to disable io_uring system-wide From: Matteo Rizzo To: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org Cc: matteorizzo@google.com, jordyzomer@google.com, evn@google.com, poprdi@google.com, corbet@lwn.net, axboe@kernel.dk, asml.silence@gmail.com, akpm@linux-foundation.org, keescook@chromium.org, rostedt@goodmis.org, dave.hansen@linux.intel.com, ribalda@chromium.org, chenhuacai@kernel.org, steve@sk2.org, gpiccoli@igalia.com, ldufour@linux.ibm.com Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Over the last few years we've seen many critical vulnerabilities in io_uring (https://goo.gle/limit-iouring) which could be exploited by an unprivileged process. There is currently no way to disable io_uring system-wide except by compiling it out of the kernel entirely. The only way to prevent a process from accessing io_uring is to use a seccomp filter, but seccomp cannot be applied system-wide. This patch introduces a new sysctl which disables the creation of new io_uring instances system-wide. This gives system admins a way to reduce the kernel's attack surface on systems where io_uring is not used. Matteo Rizzo (1): Add a new sysctl to disable io_uring system-wide Documentation/admin-guide/sysctl/kernel.rst | 14 ++++++++++++ io_uring/io_uring.c | 24 +++++++++++++++++++++ 2 files changed, 38 insertions(+) -- 2.41.0.162.gfafddb0af9-goog