Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp17964786rwd; Tue, 27 Jun 2023 09:42:23 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6ZT6cW8FSGRUycP/eISZIxkCx/ACIKncWm8p6XLqA4F3JZ7bjhi7ly81AAJTcsP8Vz2K4+ X-Received: by 2002:a17:902:d4ce:b0:1b7:e2d8:c05f with SMTP id o14-20020a170902d4ce00b001b7e2d8c05fmr5566861plg.24.1687884143220; Tue, 27 Jun 2023 09:42:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687884143; cv=none; d=google.com; s=arc-20160816; b=Ncpsh7Wc1dndLNC+72Hq7sjxVX7z/Pk5CW1To5E3spAPOKksNLRwxebSrPlEV+OG+3 YvfWyxb/AWjtUhyOG1CCaKwq01a4KylQ7jMmexJbAMaC/dDU6IwvlmBdOyPDDiTflTO9 iyMGZSalQ+7iHdAbbC9oNnxg0guxnZMrpAwRKPREXh0T4lWevrUv6/UHeetQBPOP8O6+ 06kcGy1fJ1YGywq5oRJUtHYlBRsZ4UN7qqxeL8Vm3fM0RZp5nIkCswMi4tqefrU5vl3y yZSZLrPs/gqASRpe0isV5oX5U0s580AqnHgv9iCTOvsQ28bIr9J3kqByo1z20RgN9RdE EeQg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id:dkim-signature; bh=/4TlpfcV9w6VY9Wp7NMoSSjTCcDuCDvKDEUtb/e8aoY=; fh=h1jtkvG6fHy8esRhm4ngbs/KyU39/fn1fR6HVR99tE0=; b=C+8F+KmU8PO4Md4QqNWyzNZ/KTef2vOpOxQhM9f7/1zNsRFZ3Aqstwqx+tgTI+fg7W kO1ao2/mS53jnZAVfLqp5A5C3PnLer/t+vXztpAVHDJOhIlwco8tDknpYVMxgwMSFHLf bZN/X3qR1KQ27c0W2uSfwpS3J/c6tOsqwnmuDjGwJeotlCocJ780Dgi4UXHNUcnEP4XF QDX4BKBiWp2p7Lh1tAk8D+FsxWV5o5nTXLJnVowaaRk49PXElRLsSXTEH6BtfAIgB4IF sCN7Vxeuzr7WMq/UCkJQOhFbvVyfqAGO1kuz/UqySbmU+AUucN4s4RmnO394pz0GnmhA uT7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=TSd0mxAF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id jb22-20020a170903259600b001b82b1446a3si614209plb.309.2023.06.27.09.42.06; Tue, 27 Jun 2023 09:42:23 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=TSd0mxAF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231418AbjF0QYE (ORCPT + 99 others); Tue, 27 Jun 2023 12:24:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45602 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231723AbjF0QX6 (ORCPT ); Tue, 27 Jun 2023 12:23:58 -0400 Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 32EF430EC; Tue, 27 Jun 2023 09:23:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20210309; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:Cc:To:Subject:MIME-Version:Date: Message-ID:Sender:Reply-To:Content-ID:Content-Description; bh=/4TlpfcV9w6VY9Wp7NMoSSjTCcDuCDvKDEUtb/e8aoY=; b=TSd0mxAFGlDcWEi9yXYnWluOUs NldrvE0DKu1dHstL1JbzHINhrsfGcxz5LnCr5JS37ath2Ad9iVy/m5muvX4guNZ16jtoNWrtqGOvm eZNQ0U5lHgWJEqRiExXBRaN4r4JqxAgc4fz4GxJRRzhYMANh4SKueIOWGtsUCxKZ9LZZvGMIH7UaU rJrK4a/x13v4sAa1AzeEEaVg/JpWQiw2vMqt1bfX8/oVxivdyPzX8FJqYXFvybb301UzLa5hZ+dvi Wx85YNW9fxLnRzdLddyCmbgWFNF237gROBrD6jAGbmmz0Yu7TyVXiD+HESVQMEO8JVpoTZ1i33uTj U6IqmO6g==; Received: from [2601:1c2:980:9ec0::2764] by bombadil.infradead.org with esmtpsa (Exim 4.96 #2 (Red Hat Linux)) id 1qEBTt-00DdCA-01; Tue, 27 Jun 2023 16:23:53 +0000 Message-ID: <0d8f8e2b-166b-14bc-6879-a2521ea5b23d@infradead.org> Date: Tue, 27 Jun 2023 09:23:51 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.11.2 Subject: Re: [PATCH 1/1] Add a new sysctl to disable io_uring system-wide Content-Language: en-US To: Matteo Rizzo , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org Cc: jordyzomer@google.com, evn@google.com, poprdi@google.com, corbet@lwn.net, axboe@kernel.dk, asml.silence@gmail.com, akpm@linux-foundation.org, keescook@chromium.org, rostedt@goodmis.org, dave.hansen@linux.intel.com, ribalda@chromium.org, chenhuacai@kernel.org, steve@sk2.org, gpiccoli@igalia.com, ldufour@linux.ibm.com References: <20230627120058.2214509-1-matteorizzo@google.com> <20230627120058.2214509-2-matteorizzo@google.com> From: Randy Dunlap In-Reply-To: <20230627120058.2214509-2-matteorizzo@google.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-4.5 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi-- On 6/27/23 05:00, Matteo Rizzo wrote: > diff --git a/Documentation/admin-guide/sysctl/kernel.rst b/Documentation/admin-guide/sysctl/kernel.rst > index d85d90f5d000..3c53a238332a 100644 > --- a/Documentation/admin-guide/sysctl/kernel.rst > +++ b/Documentation/admin-guide/sysctl/kernel.rst > @@ -450,6 +450,20 @@ this allows system administrators to override the > ``IA64_THREAD_UAC_NOPRINT`` ``prctl`` and avoid logs being flooded. > > > +io_uring_disabled > +========================= > + > +Prevents all processes from creating new io_uring instances. Enabling this > +shrinks the kernel's attack surface. > + > += ============================================================= > +0 All processes can create io_uring instances as normal. This is the default > + setting. > +1 io_uring is disabled. io_uring_setup always fails with -EPERM. Existing > + io_uring instances can still be used. > += ============================================================= These table lines should be extended at least as far as the text that they enclose. I.e., the top and bottom lines should be like: > += ========================================================================== thanks. -- ~Randy