« BackIo_uring and seccomp (2022)blog.0x74696d.comSubmitted by pncnmnp 2 days ago
  • eqvinox 2 hours ago

    Using seccomp with a default-open filter is a terrible idea to begin with; it wasn't really designed for any of this. Seccomp in its most basic form didn't even have a filter list, it just allowed read() and write(). (And close() or something, don't quote me on the details, the point is it was a fixed list.) You're supposed to use it with a default-closed filter and fully enumerate what you need. (Yes, that's hard in a lot of cases, but still.)

    There have been other cases where syscalls got cloned, mostly to add new parameters, but either way seccomp with an "open" filter can only ever be defense-in-depth, not a critical line in itself.

    (Don't misunderstand, defense-in-depth is good, and keep using seccomp for it. But an open seccomp filter MUST be considered bypassable.)

    • deathanatos 4 hours ago

      This seems like an instance of an anti-pattern I've seen, which is inflating "permission" and "API call" to the same thing.

      IIRC, AWS does this, where permission is by API call. As an example, you can have permission to call ssm:GetParameter n times, but if you try to combine those n API calls into a batch with GetParameters, that's a different IAM perm, even though exactly the same thing is occurring.

      • cpuguy83 4 hours ago

        Both Docker and containerd have started to block io_uring in the default profile for about a year now due to too many security issues with it.

        • bri3d an hour ago

          And Google, in ChromeOS, Android, and purportedly, Google production servers, for around a year and a half, as well. For this reason it's also disabled in several of the kernelCTF configurations and in the ones where it remains (GKE), it only pays out at half-rate in bug bounty.

          • hinkley 3 hours ago

            Has anyone speculated yet about how much slower a secure io_uring has to be? Is it still a net win once you lock it down fully?

          • leni536 5 hours ago

            > But if you've got a separation of duties where a sysadmin sets up seccomp filtering generically across applications

            Is this even possible, regardless of io_uring?

            • amarshall 4 hours ago

              Well the article brings up containers as an example. If the sysadmin controls “your” parent or root process (e.g. the login shell), they can just perform seccomp filtering there and it applies to everything within it (like any other sandbox).