Io_uring and seccomp (2022)

Using seccomp with a default-open filter is a terrible idea to begin with; it wasn&#x27;t really designed for any of this. Seccomp in its most basic form didn&#x27;t even have a filter list, it just allowed read() and write(). (And close() or something, don&#x27;t quote me on the details, the point is it was a fixed list.) You&#x27;re supposed to use it with a default-closed filter and fully enumerate what you need. (Yes, that&#x27;s hard in a lot of cases, but still.)<p>There have been other cases where syscalls got cloned, mostly to add new parameters, but either way seccomp with an &quot;open&quot; filter can only ever be defense-in-depth, not a critical line in itself.<p>(Don&#x27;t misunderstand, defense-in-depth is good, and keep using seccomp for it. But an open seccomp filter MUST be considered bypassable.)

This seems like an instance of an anti-pattern I&#x27;ve seen, which is inflating &quot;permission&quot; and &quot;API call&quot; to the same thing.<p>IIRC, AWS does this, where permission is by API call. As an example, you can have permission to call ssm:GetParameter <i>n</i> times, but if you try to combine those <i>n</i> API calls into a batch with GetParameters, that&#x27;s a different IAM perm, <i>even though exactly the same thing is occurring.</i>

Both Docker and containerd have started to block io_uring in the default profile for about a year now due to too many security issues with it.

I was thinking about how one would change io_uring design to be compatible with seccomp, and came up with a very simple one:<p>A new io_uring fd comes with all operations disabled by default. User has to call &quot;io_uring_register(fd, ENABLE_OP, op)&quot; before operation is used for the first time. Then seccomp filter can easily filter enable_op calls to prohibit certain operations.<p>It could even be added now in backward-compatible way - add a new feature to io_uring_setup that enables it. Then one could set seccomp filter to only accept setup requests with this feature set, and deny all others. Together, this should allow cooperating programs to pass seccomp filter, while programs that won&#x27;t register ops could not use seccomp at all.

Surely this is a seccomp shortcoming, or kernel auth shortcoming, rather than an io_uring problem?<p>That is, seccomp is (apparently? I’ve never used it myself) capable of intercepting direct calls. Obviously, that design isn’t going to be able to handle “indirect” calls in its default implementation.<p>Either seccomp needs a way to act on the buffer or intercept io_uring calls, or there’s a need for a new auth mechanism that’s capable of handling io_uring style API’s.<p>Torpedoing the whole api (a la gcp) feels like throwing the baby out with the bath water.

&gt; But if you&#x27;ve got a separation of duties where a sysadmin sets up seccomp filtering generically across applications<p>Is this even possible, regardless of io_uring?

Author here! The motivating example of this post is frankly pretty lousy in retrospect (and was even so soon after writing, given the friendly reminder from Giovanni Campagna that `socket` wasn&#x27;t one of the io_uring opcodes). At best this is an interesting limitation of seccomp. Maybe relevant if you were using gVisor?