[v3,0/1] Add a sysctl to disable io_uring system-wide

Message ID	20230630151003.3622786-1-matteorizzo@google.com (mailing list archive)
Headers	show Return-Path: <io-uring-owner@vger.kernel.org> Date: Fri, 30 Jun 2023 15:10:02 +0000 Mime-Version: 1.0 Message-ID: <20230630151003.3622786-1-matteorizzo@google.com> Subject: [PATCH v3 0/1] Add a sysctl to disable io_uring system-wide From: Matteo Rizzo <matteorizzo@google.com> To: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, io-uring@vger.kernel.org, axboe@kernel.dk, asml.silence@gmail.com Cc: matteorizzo@google.com, corbet@lwn.net, akpm@linux-foundation.org, keescook@chromium.org, ribalda@chromium.org, rostedt@goodmis.org, jannh@google.com, chenhuacai@kernel.org, gpiccoli@igalia.com, ldufour@linux.ibm.com, evn@google.com, poprdi@google.com, jordyzomer@google.com, jmoyer@redhat.com, krisman@suse.de Content-Type: text/plain; charset="UTF-8" Precedence: bulk
Series	Add a sysctl to disable io_uring system-wide \| expand [v3,0/1] Add a sysctl to disable io_uring system-wide [v3,1/1] io_uring: add a sysctl to disable io_uring system-wide

Message ID

20230630151003.3622786-1-matteorizzo@google.com (mailing list archive)

Headers

Date: Fri, 30 Jun 2023 15:10:02 +0000
Mime-Version: 1.0
Message-ID: <20230630151003.3622786-1-matteorizzo@google.com>
Subject: [PATCH v3 0/1] Add a sysctl to disable io_uring system-wide
From: Matteo Rizzo <matteorizzo@google.com>
To: linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
        io-uring@vger.kernel.org, axboe@kernel.dk, asml.silence@gmail.com
Cc: matteorizzo@google.com, corbet@lwn.net, akpm@linux-foundation.org,
        keescook@chromium.org, ribalda@chromium.org, rostedt@goodmis.org,
        jannh@google.com, chenhuacai@kernel.org, gpiccoli@igalia.com,
        ldufour@linux.ibm.com, evn@google.com, poprdi@google.com,
        jordyzomer@google.com, jmoyer@redhat.com, krisman@suse.de
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk

Series

Add a sysctl to disable io_uring system-wide | expand

Message

Matteo Rizzo June 30, 2023, 3:10 p.m. UTC

Over the last few years we've seen many critical vulnerabilities in
io_uring[1] which could be exploited by an unprivileged process to gain
control over the kernel. This patch introduces a new sysctl which disables
the creation of new io_uring instances system-wide.

The goal of this patch is to give distros, system admins, and cloud
providers a way to reduce the risk of privilege escalation through io_uring
where disabling it with seccomp or at compile time is not practical. For
example a distro or cloud provider might want to disable io_uring by
default and have users enable it again if they need to run a program that
requires it. The new sysctl is designed to let a user with root on the
machine enable and disable io_uring systemwide at runtime without requiring
a kernel recompilation or a reboot.

[1] Link: https://goo.gle/limit-iouring

---
v3:
	* Fix the commit message
	* Use READ_ONCE in io_uring_allowed to avoid races
	* Add reviews
v2:
	* Documentation style fixes
	* Add a third level that only disables io_uring for unprivileged
	  processes


Matteo Rizzo (1):
  io_uring: add a sysctl to disable io_uring system-wide

 Documentation/admin-guide/sysctl/kernel.rst | 19 +++++++++++++
 io_uring/io_uring.c                         | 31 +++++++++++++++++++++
 2 files changed, 50 insertions(+)


base-commit: 1601fb26b26758668533bdb211fdfbb5234367ee

Comments

Jens Axboe July 11, 2023, 8:51 p.m. UTC | #1

On Fri, 30 Jun 2023 15:10:02 +0000, Matteo Rizzo wrote:
> Over the last few years we've seen many critical vulnerabilities in
> io_uring[1] which could be exploited by an unprivileged process to gain
> control over the kernel. This patch introduces a new sysctl which disables
> the creation of new io_uring instances system-wide.
> 
> The goal of this patch is to give distros, system admins, and cloud
> providers a way to reduce the risk of privilege escalation through io_uring
> where disabling it with seccomp or at compile time is not practical. For
> example a distro or cloud provider might want to disable io_uring by
> default and have users enable it again if they need to run a program that
> requires it. The new sysctl is designed to let a user with root on the
> machine enable and disable io_uring systemwide at runtime without requiring
> a kernel recompilation or a reboot.
> 
> [...]

Applied, thanks!

[1/1] io_uring: add a sysctl to disable io_uring system-wide
      commit: d55f54dac19a0cee1818353ab5aa3edac9034db4

Best regards,