alois31
e7188e211a
Unfortunately, io_uring is totally opaque to seccomp, and while currently there
are no dangerous operations implemented, there is no guarantee that it remains
this way. This means that io_uring should be blocked entirely to ensure that
the sandbox is future-proof. This has not been observed to cause issues in
practice.
Change-Id: I45d3895f95abe1bc103a63969f444c334dbbf50d
20 lines
400 B
Nix
20 lines
400 B
Nix
{ runCommandCC }:
|
|
runCommandCC "io_uring-is-blocked" { } ''
|
|
cat > test.c <<EOF
|
|
#include <errno.h>
|
|
#include <sys/syscall.h>
|
|
#include <unistd.h>
|
|
|
|
int main() {
|
|
int res = syscall(SYS_io_uring_setup, 0, NULL);
|
|
return res == -1 && errno == ENOSYS ? 0 : 1;
|
|
}
|
|
EOF
|
|
"$CC" -o test test.c
|
|
if ! ./test; then
|
|
echo "Oh no! io_uring is available!"
|
|
exit 1
|
|
fi
|
|
touch "$out"
|
|
''
|