Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

io-uring support #39396

Closed
omegacoleman opened this issue Jun 21, 2019 · 3 comments · Fixed by #39415
Closed

io-uring support #39396

omegacoleman opened this issue Jun 21, 2019 · 3 comments · Fixed by #39415
Labels
area/security/seccomp kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.

Comments

@omegacoleman
Copy link
Contributor

I'm currently using containers for my workzone, and I'm just getting my hands on the new io-uring thingy in kernel 5.1 here

And then I noticed that docker currently blocks the io-uring related requests :

/code/liburing/examples on  master! ⌚ 10:14:17
$ ./io_uring-test io_uring-test.c
queue_init: Operation not permitted

While this test program runs without a problem on the host machine (I'm using a fedora30 host with docker-machine --drive generic)

So I thought this would be the place to suggest this feature
@cpuguy83
Copy link
Member

This likely needs to be added to the seccomp profile here: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json

Note you can provide your own seccomp profile to unblock yourself.
docker run --sec-opt seccomp:/path/to/profile.json

You can also set the default profile as a daemon option:

--secomp-profile=/path/to/profile.json

@cpuguy83 cpuguy83 added the kind/enhancement Enhancements are not bugs or new features but can improve usability or performance. label Jun 21, 2019
@omegacoleman
Copy link
Contributor Author

This likely needs to be added to the seccomp profile here: https://github.com/moby/moby/blob/master/profiles/seccomp/default.json

Note you can provide your own seccomp profile to unblock yourself.
docker run --sec-opt seccomp:/path/to/profile.json

You can also set the default profile as a daemon option:

--secomp-profile=/path/to/profile.json

Thanks so much ur comment points me to the right way.

However the upstream hasn't included support for io-uring yet, but I already PRed it: seccomp/libseccomp#157

Plus there's a few typo: --security-opt not --sec-opt, and --seccomp-profile not --secomp-profile

Currently I workaound the problem by just allow every system call to pass:

{
	"defaultAction": "SCMP_ACT_ALLOW",
	...,
	"syscalls": []
}

But this config is highly unsafe under production circumstances.

I think this could be put on hold until the upsteam gain uring support, then I could add it to the default config.

@omegacoleman omegacoleman mentioned this issue Jun 25, 2019
Merged
@vrothberg vrothberg mentioned this issue Oct 30, 2019
Merged
@thaJeztah thaJeztah mentioned this issue Aug 25, 2020
Merged
@normanmaurer normanmaurer mentioned this issue Dec 22, 2020
Closed
@thaJeztah thaJeztah mentioned this issue Dec 1, 2023
Merged
@thaJeztah
Copy link
Member

for future visitors; these were removed again in;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security/seccomp kind/enhancement Enhancements are not bugs or new features but can improve usability or performance.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

seccomp: whitelist io-uring related system calls
3 participants
@cpuguy83 @thaJeztah @omegacoleman