Comment by willtemperley

14 hours ago

Perhaps someone who knows what they're talking about should update the Wikipedia page on io_uring [1]. Someone with a casual interest in Linux internals will probably get a poor impression of io_uring security which appears to be largely due to Google using an old kernel in Android [2].

[1] https://en.wikipedia.org/wiki/Io_uring [2] https://github.com/axboe/liburing/discussions/1047

2 comments

willtemperley

accelbred 11 hours ago

It still does not hook up to seccomp, so needs to be blocked by things doing syscall filtering. Its blocked by docker/podman. It may also be disabled with hardened kconfig or selinux.

If it ever integrates with LSMs, then it may be time to give it another look.

littlestymaar 9 hours ago

I suppose landlock works with is_uring, doesn't it?