Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update RuntimeDefault seccomp profile to disallow io_uring related syscalls #9320

Merged
merged 1 commit into from Nov 2, 2023
Merged

Update RuntimeDefault seccomp profile to disallow io_uring related syscalls #9320

merged 1 commit into from Nov 2, 2023
+36 −3

Conversation

vinayakankugoyal
Copy link
Contributor

@vinayakankugoyal vinayakankugoyal commented Nov 2, 2023
edited

This addresses #9048.

Security experts generally believe io_uring to be unsafe. In fact Google ChromeOS and Android have turned it off, plus all Google production servers turn it off. Based on the blog published by Google below it seems like a bunch of vulnerabilities related to io_uring can be exploited to breakout of the container.

https://security.googleblog.com/2023/06/learnings-from-kctf-vrps-42-linux.html.

Other security reaserchers also hold this opinion: see https://i.blackhat.com/BH-US-23/Presentations/US-23-Lin-bad_io_uring.pdf for a blackhat presentation on io_uring exploits.

@k8s-ci-robot
Copy link

Hi @vinayakankugoyal. Thanks for your PR.

I'm waiting for a containerd member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@vinayakankugoyal vinayakankugoyal changed the title Don't allow io_uring related syscalls in the RuntimeDefault seccomp p… Don't allow io_uring related syscalls in the RuntimeDefault seccomp profile. Nov 2, 2023
@vinayakankugoyal
Don't allow io_uring related syscalls in the RuntimeDefault seccomp p…
a48ddf4 
…rofile.

Signed-off-by: Vinayak Goyal <vinaygo@google.com>
@AkihiroSuda AkihiroSuda added this to the 2.0 milestone Nov 2, 2023
@AkihiroSuda
Copy link
Member

/ok-to-test

@estesp estesp added this pull request to the merge queue Nov 2, 2023
Merged via the queue into containerd:main with commit cb742b5 Nov 2, 2023
40 checks passed
@vinayakankugoyal vinayakankugoyal mentioned this pull request Dec 1, 2023
Closed
This was referenced Dec 1, 2023
Merged
Closed
Merged
Closed
@rmuir rmuir mentioned this pull request Jan 12, 2024
Open
@dmcgowan dmcgowan changed the title Don't allow io_uring related syscalls in the RuntimeDefault seccomp profile. Update RuntimeDefault seccomp profile to disallow io_uring related syscalls Jan 19, 2024
@dmcgowan dmcgowan added the area/runtime Runtime label Mar 19, 2024
@dmcgowan dmcgowan mentioned this pull request Apr 19, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@samuelkarp samuelkarp samuelkarp approved these changes

@estesp estesp estesp approved these changes

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@dcantah dcantah dcantah approved these changes

Assignees
No one assigned
Labels
area/runtime Runtime impact/breaking impact/changelog ok-to-test size/M
Projects
Pull Request Review
Status: Done
Milestone
2.0
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@vinayakankugoyal @k8s-ci-robot @AkihiroSuda @samuelkarp @estesp @dcantah @dmcgowan