linux-hardened icon indicating copy to clipboard operation
linux-hardened copied to clipboard
verified publisher icon anthraxx

Disable io_uring

Open prettySongbird opened this issue 2 years ago • 4 comments

The io_uring system call continues to be the source of many security issues. As a consequence, google disables this feature on their systems, including ChromeOS and Android. https://www.phoronix.com/news/Google-Restricting-IO_uring

It would probably be a good idea to do the same for linux-hardening

prettySongbird avatar Jun 16 '23 13:06 prettySongbird

Starting with Linux 6.6 the io_uring feature can be easily disabled: https://www.phoronix.com/news/Linux-6.6-sysctl-IO_uring

prettySongbird avatar Jul 14 '23 19:07 prettySongbird

This sounds like a reasonable request and quite straight forward way to do it. I'll make sure this lands in all trees asap.

anthraxx avatar Jul 15 '23 07:07 anthraxx

Grsecurity hardcodes this - i have branch specifically enabling it for a required use-case. If they consider it too dangerous given the myriad of defenses built into their patches, its probably not a great thing to have sitting around.

sempervictus avatar Aug 27 '23 12:08 sempervictus

@prettySongbird Android doesn't disable io_uring but rather only allows the core system fastbootd and snapuserd processes to use io_uring via the static full system SELinux policy. Similarly, it has rules for using userfaultfd and generic ioctl filtering where specific ioctl commands are whitelisted for specific devices.

thestinger avatar Jan 08 '24 15:01 thestinger