libstore/build: block io_uring

Unfortunately, io_uring is totally opaque to seccomp, and while currently there
are no dangerous operations implemented, there is no guarantee that it remains
this way. This means that io_uring should be blocked entirely to ensure that
the sandbox is future-proof. This has not been observed to cause issues in
practice.

Change-Id: I45d3895f95abe1bc103a63969f444c334dbbf50d
This commit is contained in:
Alois Wohlschlager 2024-07-01 09:18:01 +02:00
parent 127ee1a101
commit e7188e211a
No known key found for this signature in database
GPG key ID: E0F59EA5E5216914
5 changed files with 43 additions and 3 deletions

View file

@ -0,0 +1,12 @@
---
synopsis: "Block io_uring in the Linux sandbox"
cls: 1611
credits: alois31
category: Breaking Changes
---
The io\_uring API has the unfortunate property that it is not possible to selectively decide which operations should be allowed.
This, together with the fact that new operations are routinely added, makes it a hazard to the proper function of the sandbox.
Therefore, any access to io\_uring has been made unavailable inside the sandbox.
As such, attempts to execute any system calls forming part of this API will fail with the error `ENOSYS`, as if io\_uring support had not been configured into the kernel.

View file

@ -1596,9 +1596,9 @@ void setupSeccomp()
allowSyscall(ctx, SCMP_SYS(ioprio_set));
allowSyscall(ctx, SCMP_SYS(io_setup));
allowSyscall(ctx, SCMP_SYS(io_submit));
allowSyscall(ctx, SCMP_SYS(io_uring_enter));
allowSyscall(ctx, SCMP_SYS(io_uring_register));
allowSyscall(ctx, SCMP_SYS(io_uring_setup));
// skip io_uring_enter (may become dangerous)
// skip io_uring_register (may become dangerous)
// skip io_uring_setup (may become dangerous)
allowSyscall(ctx, SCMP_SYS(ipc));
allowSyscall(ctx, SCMP_SYS(kcmp));
allowSyscall(ctx, SCMP_SYS(kexec_file_load));

View file

@ -155,4 +155,6 @@ in
broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;
coredumps = runNixOSTestFor "x86_64-linux" ./coredumps;
io_uring = runNixOSTestFor "x86_64-linux" ./io_uring;
}

View file

@ -0,0 +1,7 @@
let
inherit (import ../util.nix) mkNixBuildTest;
in
mkNixBuildTest {
name = "io_uring";
expressionFile = ./package.nix;
}

View file

@ -0,0 +1,19 @@
{ runCommandCC }:
runCommandCC "io_uring-is-blocked" { } ''
cat > test.c <<EOF
#include <errno.h>
#include <sys/syscall.h>
#include <unistd.h>
int main() {
int res = syscall(SYS_io_uring_setup, 0, NULL);
return res == -1 && errno == ENOSYS ? 0 : 1;
}
EOF
"$CC" -o test test.c
if ! ./test; then
echo "Oh no! io_uring is available!"
exit 1
fi
touch "$out"
''