libstore/build: block io_uring
Unfortunately, io_uring is totally opaque to seccomp, and while currently there are no dangerous operations implemented, there is no guarantee that it remains this way. This means that io_uring should be blocked entirely to ensure that the sandbox is future-proof. This has not been observed to cause issues in practice. Change-Id: I45d3895f95abe1bc103a63969f444c334dbbf50d
This commit is contained in:
parent
127ee1a101
commit
e7188e211a
5 changed files with 43 additions and 3 deletions
12
doc/manual/rl-next/block-io-uring.md
Normal file
12
doc/manual/rl-next/block-io-uring.md
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
---
|
||||||
|
synopsis: "Block io_uring in the Linux sandbox"
|
||||||
|
cls: 1611
|
||||||
|
credits: alois31
|
||||||
|
category: Breaking Changes
|
||||||
|
---
|
||||||
|
|
||||||
|
The io\_uring API has the unfortunate property that it is not possible to selectively decide which operations should be allowed.
|
||||||
|
This, together with the fact that new operations are routinely added, makes it a hazard to the proper function of the sandbox.
|
||||||
|
|
||||||
|
Therefore, any access to io\_uring has been made unavailable inside the sandbox.
|
||||||
|
As such, attempts to execute any system calls forming part of this API will fail with the error `ENOSYS`, as if io\_uring support had not been configured into the kernel.
|
|
@ -1596,9 +1596,9 @@ void setupSeccomp()
|
||||||
allowSyscall(ctx, SCMP_SYS(ioprio_set));
|
allowSyscall(ctx, SCMP_SYS(ioprio_set));
|
||||||
allowSyscall(ctx, SCMP_SYS(io_setup));
|
allowSyscall(ctx, SCMP_SYS(io_setup));
|
||||||
allowSyscall(ctx, SCMP_SYS(io_submit));
|
allowSyscall(ctx, SCMP_SYS(io_submit));
|
||||||
allowSyscall(ctx, SCMP_SYS(io_uring_enter));
|
// skip io_uring_enter (may become dangerous)
|
||||||
allowSyscall(ctx, SCMP_SYS(io_uring_register));
|
// skip io_uring_register (may become dangerous)
|
||||||
allowSyscall(ctx, SCMP_SYS(io_uring_setup));
|
// skip io_uring_setup (may become dangerous)
|
||||||
allowSyscall(ctx, SCMP_SYS(ipc));
|
allowSyscall(ctx, SCMP_SYS(ipc));
|
||||||
allowSyscall(ctx, SCMP_SYS(kcmp));
|
allowSyscall(ctx, SCMP_SYS(kcmp));
|
||||||
allowSyscall(ctx, SCMP_SYS(kexec_file_load));
|
allowSyscall(ctx, SCMP_SYS(kexec_file_load));
|
||||||
|
|
|
@ -155,4 +155,6 @@ in
|
||||||
broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;
|
broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;
|
||||||
|
|
||||||
coredumps = runNixOSTestFor "x86_64-linux" ./coredumps;
|
coredumps = runNixOSTestFor "x86_64-linux" ./coredumps;
|
||||||
|
|
||||||
|
io_uring = runNixOSTestFor "x86_64-linux" ./io_uring;
|
||||||
}
|
}
|
||||||
|
|
7
tests/nixos/io_uring/default.nix
Normal file
7
tests/nixos/io_uring/default.nix
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
let
|
||||||
|
inherit (import ../util.nix) mkNixBuildTest;
|
||||||
|
in
|
||||||
|
mkNixBuildTest {
|
||||||
|
name = "io_uring";
|
||||||
|
expressionFile = ./package.nix;
|
||||||
|
}
|
19
tests/nixos/io_uring/package.nix
Normal file
19
tests/nixos/io_uring/package.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{ runCommandCC }:
|
||||||
|
runCommandCC "io_uring-is-blocked" { } ''
|
||||||
|
cat > test.c <<EOF
|
||||||
|
#include <errno.h>
|
||||||
|
#include <sys/syscall.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
|
||||||
|
int main() {
|
||||||
|
int res = syscall(SYS_io_uring_setup, 0, NULL);
|
||||||
|
return res == -1 && errno == ENOSYS ? 0 : 1;
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
"$CC" -o test test.c
|
||||||
|
if ! ./test; then
|
||||||
|
echo "Oh no! io_uring is available!"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
touch "$out"
|
||||||
|
''
|
Loading…
Reference in a new issue