Don't allow io_uring related syscalls in the RuntimeDefault seccomp profile.

vinayakankugoyal · vinayakankugoyal · commit a48ddf4a208b · 2023-11-02T01:23:58.000Z
Signed-off-by: Vinayak Goyal &lt;vinaygo@google.com&gt;
diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
@@ -183,9 +183,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"ioprio_set",
 				"io_setup",
 				"io_submit",
-				"io_uring_enter",
-				"io_uring_register",
-				"io_uring_setup",
 				"ipc",
 				"kill",
 				"landlock_add_rule",
diff --git a/contrib/seccomp/seccomp_default_test.go b/contrib/seccomp/seccomp_default_test.go
@@ -0,0 +1,36 @@
+package seccomp
+
+import (
+	"testing"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestIOUringIsNotAllowed(t *testing.T) {
+
+	disallowed := map[string]bool{
+		"io_uring_enter":    true,
+		"io_uring_register": true,
+		"io_uring_setup":    true,
+	}
+
+	got := DefaultProfile(&specs.Spec{
+		Process: &specs.Process{
+			Capabilities: &specs.LinuxCapabilities{
+				Bounding: []string{},
+			},
+		},
+	})
+
+	for _, config := range got.Syscalls {
+		if config.Action != specs.ActAllow {
+			continue
+		}
+
+		for _, name := range config.Names {
+			if disallowed[name] {
+				t.Errorf("found disallowed io_uring related syscalls")
+			}
+		}
+	}
+}
