libstore/build: block io_uring

Unfortunately, io_uring is totally opaque to seccomp, and while currently there are no dangerous operations implemented, there is no guarantee that it remains this way. This means that io_uring should be blocked entirely to ensure that the sandbox is future-proof. This has not been observed to cause issues in practice. Change-Id: I45d3895f95abe1bc103a63969f444c334dbbf50d
2024-07-01 09:18:01 +02:00 · 2024-07-01 09:18:01 +02:00 · e7188e211a
parent 127ee1a101
commit e7188e211a
5 changed files with 43 additions and 3 deletions
--- a/doc/manual/rl-next/block-io-uring.md
+++ b/doc/manual/rl-next/block-io-uring.md
@ -0,0 +1,12 @@
+---
+synopsis: "Block io_uring in the Linux sandbox"
+cls: 1611
+credits: alois31
+category: Breaking Changes
+---
+
+The io\_uring API has the unfortunate property that it is not possible to selectively decide which operations should be allowed.
+This, together with the fact that new operations are routinely added, makes it a hazard to the proper function of the sandbox.
+
+Therefore, any access to io\_uring has been made unavailable inside the sandbox.
+As such, attempts to execute any system calls forming part of this API will fail with the error `ENOSYS`, as if io\_uring support had not been configured into the kernel.
--- a/src/libstore/build/local-derivation-goal.cc
+++ b/src/libstore/build/local-derivation-goal.cc
@ -1596,9 +1596,9 @@ void setupSeccomp()
    allowSyscall(ctx, SCMP_SYS(ioprio_set));
    allowSyscall(ctx, SCMP_SYS(io_setup));
    allowSyscall(ctx, SCMP_SYS(io_submit));
-    allowSyscall(ctx, SCMP_SYS(io_uring_enter));
-    allowSyscall(ctx, SCMP_SYS(io_uring_register));
-    allowSyscall(ctx, SCMP_SYS(io_uring_setup));
+    // skip io_uring_enter (may become dangerous)
+    // skip io_uring_register (may become dangerous)
+    // skip io_uring_setup (may become dangerous)
    allowSyscall(ctx, SCMP_SYS(ipc));
    allowSyscall(ctx, SCMP_SYS(kcmp));
    allowSyscall(ctx, SCMP_SYS(kexec_file_load));
--- a/tests/nixos/default.nix
+++ b/tests/nixos/default.nix
@ -155,4 +155,6 @@ in
  broken-userns = runNixOSTestFor "x86_64-linux" ./broken-userns.nix;

  coredumps = runNixOSTestFor "x86_64-linux" ./coredumps;
+
+  io_uring = runNixOSTestFor "x86_64-linux" ./io_uring;
 }
--- a/tests/nixos/io_uring/default.nix
+++ b/tests/nixos/io_uring/default.nix
@ -0,0 +1,7 @@
+let
+  inherit (import ../util.nix) mkNixBuildTest;
+in
+mkNixBuildTest {
+  name = "io_uring";
+  expressionFile = ./package.nix;
+}
--- a/tests/nixos/io_uring/package.nix
+++ b/tests/nixos/io_uring/package.nix
@ -0,0 +1,19 @@
+{ runCommandCC }:
+runCommandCC "io_uring-is-blocked" { } ''
+  cat > test.c <<EOF
+  #include <errno.h>
+  #include <sys/syscall.h>
+  #include <unistd.h>
+
+  int main() {
+      int res = syscall(SYS_io_uring_setup, 0, NULL);
+      return res == -1 && errno == ENOSYS ? 0 : 1;
+  }
+  EOF
+  "$CC" -o test test.c
+  if ! ./test; then
+    echo "Oh no! io_uring is available!"
+    exit 1
+  fi
+  touch "$out"
+''