From patchwork Tue Jun 27 12:00:57 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Matteo Rizzo X-Patchwork-Id: 11337 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp8145094vqr; Tue, 27 Jun 2023 05:10:48 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4qY/JfnhLTtL4g07wCdHHeNOgMc1uqDDCYBnzEUc26hlrPIFC9j/HWTEuj/qj2t/04hw6z X-Received: by 2002:a17:902:ecd1:b0:1b0:6e16:b92c with SMTP id a17-20020a170902ecd100b001b06e16b92cmr11276169plh.54.1687867847646; Tue, 27 Jun 2023 05:10:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1687867847; cv=none; d=google.com; s=arc-20160816; b=VcIdZ6P1yE+jy9BC+nICVmfy0roEJbHW7MOV+QvEQuGMjz88lsuzBZl1GB8akGm8tL er+mnUSY8hGnvZN1BF1Rwl9WHSaCsHhgmSaVNr6jxRh/zC+6Qr1TLFIdHP2b5FIssvZS ZegIPVvzJ/gCAMog9WqsnLVgWFCBkHtwDE83YPzzaDXWXQy+4H0h/B0LdwyvSSpjU3O6 7Y0oBkBuDI+DnTUDYJQ38FQoAKPQm4AlNP6KErmwAB5tAp8TXAiDTMLu5bINBwL0Z5Vl Mw08BuuLwgyRdD1TRjcPO7Z08AZsf1K+pIlVjYtDKTmrzsRtlt7n2poSEF9lGArpYA98 sNHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:from:subject:message-id:mime-version:date :dkim-signature; bh=omb5WPHKjIF19VjpQzIDwr44TOan0N70O5D7yB8S/xM=; fh=H2vRfsNEMhBeTL+1OLMblEyJvwlPcpktZW1IdWwF5vI=; b=BC5mdG8W6SRoJs2F6UKfKRgL6IJWxTpzWrBBsobsJ/GCIz8bJRpD3bPNPA4KwEBX3k tuQGYcl0eThgKsXKHoVw+d0QEapL8pABk6JCc38nGhy/W1nSEsJ13LhLBuuWdpbnsr6L v2EjlLGMrw80I1IbM/9agCGCZyMznE3/D3jX4cCR5QdiCYztr0nE5GiwyvqlZIDabmg5 WCRr5/fG6LHOSflbxSalYaPE8YO7Kj+XigUQP6tQdDy6OquyDO7L3PgS4PlFxkpy7gJA lbuJfHLlAMDDL2ykLg/bsq3U0ez2ZlQOdBuhQEmSgCJGR7xg28vZdYFONl1gPFgmSjZ+ L41A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=sgTrVNvk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k5-20020a170902d58500b001b801044467si4401574plh.3.2023.06.27.05.10.17; Tue, 27 Jun 2023 05:10:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b=sgTrVNvk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231693AbjF0MBV (ORCPT + 99 others); Tue, 27 Jun 2023 08:01:21 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59658 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231669AbjF0MBT (ORCPT ); Tue, 27 Jun 2023 08:01:19 -0400 Received: from mail-ej1-x649.google.com (mail-ej1-x649.google.com [IPv6:2a00:1450:4864:20::649]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ED0CD10FC for ; Tue, 27 Jun 2023 05:01:17 -0700 (PDT) Received: by mail-ej1-x649.google.com with SMTP id a640c23a62f3a-98277fac2a1so329687066b.3 for ; Tue, 27 Jun 2023 05:01:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1687867276; x=1690459276; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=omb5WPHKjIF19VjpQzIDwr44TOan0N70O5D7yB8S/xM=; b=sgTrVNvkO/s7GNIOFrnUhXqW1ZkkCVKfF86rogYZARyOrKzP19DbviI5F9if8TsIc1 oDAzqFfa0s+F+ZLOLwhOz9Ylgrn+qF+ZDOhYkhBrpIwJAtjYX+D1MpkAAlJVgDPVMf/X nQKI2fiAi0K0r3dAzJJgVFk0AV7Z+ztC2zFQG9b9TqEm6Tfn53XxL1uPWsxF2oVvzCXu Ea5AmggmgkwD1lrpV/t561g1NZgwHD47jQlB5B+EorEbaVeftVWW2m5I6WE3BaT7lOvm VE1McLhJxq2AIGHqsMjBZ1P0TSVEMVp/xH3nDyM+3l0+L/pTzzitphIOqaRQ4jY7Cx45 c4rA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1687867276; x=1690459276; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=omb5WPHKjIF19VjpQzIDwr44TOan0N70O5D7yB8S/xM=; b=QilYOKNpWfctFQdMPa9eqeOcypAc1dDhhsgVIp9wSl/MF1r7a2fWjcMpOOVTAKs8Du hBgGIEG2pPfJJZoA+iWc1AneKRQs0to9npLBnhOKX4cGJt4IJWZtLGchXl5hPI95DE2O mL6meAM5r5qAiROXs7gNVFJ//RnFkYAnLdstINC6kEs19CVLwBL+ZFOzZcS97c6V+xGl QUenF3kA00TgXA3qxzem396vSUdMGtXEIYjk5L/DwoDfWsnI/bG8mLuI5Ayr1JlRM0f1 UhjbyIqTVFAwhEh10Jd/BrXdhh1HtiSU5pkgH54grfMdDJQ12oPKayG0IZFAcXP9wNOG 5m/w== X-Gm-Message-State: AC+VfDxARd3a/judZG+IBwGK0eenxYmVGd2yeNiynBgBb/kDDNZ24xXy exu/pyktDn1++FB+JDlA4LAYt+4GkHgXY2WL9A== X-Received: from mr-cloudtop2.c.googlers.com ([fda3:e722:ac3:cc00:31:98fb:c0a8:fb5]) (user=matteorizzo job=sendgmr) by 2002:a17:907:75d9:b0:98e:413a:477b with SMTP id jl25-20020a17090775d900b0098e413a477bmr1131845ejc.10.1687867276551; Tue, 27 Jun 2023 05:01:16 -0700 (PDT) Date: Tue, 27 Jun 2023 12:00:57 +0000 Mime-Version: 1.0 X-Mailer: git-send-email 2.41.0.162.gfafddb0af9-goog Message-ID: <20230627120058.2214509-1-matteorizzo@google.com> Subject: [PATCH 0/1] Add a sysctl to disable io_uring system-wide From: Matteo Rizzo To: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org Cc: matteorizzo@google.com, jordyzomer@google.com, evn@google.com, poprdi@google.com, corbet@lwn.net, axboe@kernel.dk, asml.silence@gmail.com, akpm@linux-foundation.org, keescook@chromium.org, rostedt@goodmis.org, dave.hansen@linux.intel.com, ribalda@chromium.org, chenhuacai@kernel.org, steve@sk2.org, gpiccoli@igalia.com, ldufour@linux.ibm.com X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED, USER_IN_DEF_DKIM_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1769857715805166717?= X-GMAIL-MSGID: =?utf-8?q?1769857715805166717?= Over the last few years we've seen many critical vulnerabilities in io_uring (https://goo.gle/limit-iouring) which could be exploited by an unprivileged process. There is currently no way to disable io_uring system-wide except by compiling it out of the kernel entirely. The only way to prevent a process from accessing io_uring is to use a seccomp filter, but seccomp cannot be applied system-wide. This patch introduces a new sysctl which disables the creation of new io_uring instances system-wide. This gives system admins a way to reduce the kernel's attack surface on systems where io_uring is not used. Matteo Rizzo (1): Add a new sysctl to disable io_uring system-wide Documentation/admin-guide/sysctl/kernel.rst | 14 ++++++++++++ io_uring/io_uring.c | 24 +++++++++++++++++++++ 2 files changed, 38 insertions(+)