Block io_uring syscalls by default

See containerd/containerd@a48ddf4
debfx · Dec 28, 2023 · 701a29c · 701a29c
1 parent 7f3f3a1
commit 701a29c
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/seccomp_lists.go b/seccomp_lists.go
@@ -135,9 +135,6 @@ var SeccompAllow = []string{
 	"ioprio_set",
 	"io_setup",
 	"io_submit",
-	"io_uring_enter",
-	"io_uring_register",
-	"io_uring_setup",
 	"ipc",
 	"kill",
 	"landlock_add_rule",
@@ -377,6 +374,13 @@ var SeccompAllowDevel = []string{
 	"ptrace",
 }
 
+/*
+blocked but not part of this list so ENOSYS is returned instead:
+"clone3",
+"io_uring_enter",
+"io_uring_register",
+"io_uring_setup",
+*/
 var SeccompEperm = []string{
 	"_sysctl",
 	"acct",
@@ -389,8 +393,6 @@ var SeccompEperm = []string{
 	"chroot",
 	"clock_settime",
 	"clock_settime64",
-	// return the default action ENOSYS instead
-	//"clone3",
 	"create_module",
 	"delete_module",
 	"fanotify_init",