From: Vitaly Chikunov <vt@altlinux.org>
To: devel-kernel@lists.altlinux.org
Subject: [d-kernel] [RFC] ALT: io_uring, sysctl: Add 'kernel.unprivileged_io_uring_disabled' sysctl
Date: Thu, 26 Jan 2023 22:50:17 +0300
Message-ID: <20230126195017.1654866-1-vt@altlinux.org> (raw)
`kernel.unprivileged_io_uring_disabled=1' is set to disable io_uring
functionality for non-roots (default). Set to 0 to allow io_uring.
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
---
io_uring/io_uring.c | 9 +++++++++
kernel/sysctl.c | 10 ++++++++++
2 files changed, 19 insertions(+)
diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index cea5de98c4232..e786f63f78d6f 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -151,6 +151,7 @@ static void io_move_task_work_from_local(struct io_ring_ctx *ctx);
static void __io_submit_flush_completions(struct io_ring_ctx *ctx);
static struct kmem_cache *req_cachep;
+int sysctl_unprivileged_io_uring_disabled __read_mostly = 1;
struct sock *io_uring_get_socket(struct file *file)
{
@@ -3588,6 +3589,14 @@ static long io_uring_setup(u32 entries, struct io_uring_params __user *params)
struct io_uring_params p;
int i;
+ if (sysctl_unprivileged_io_uring_disabled && !capable(CAP_SYS_ADMIN)) {
+ /* Inform user of the new setting so they can disable it. */
+ pr_warn_once("io_uring: kernel.unprivileged_io_uring_disabled knob is enabled.\n");
+ pr_notice_ratelimited("%s (pid %d) io_uring_setup request denied.\n",
+ current->comm, current->pid);
+ return -EACCES;
+ }
+
if (copy_from_user(&p, params, sizeof(p)))
return -EFAULT;
for (i = 0; i < ARRAY_SIZE(p.resv); i++) {
diff --git a/kernel/sysctl.c b/kernel/sysctl.c
index ae711d120ba35..ce382deb66b42 100644
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -100,6 +100,7 @@ static const int six_hundred_forty_kb = 640 * 1024;
extern int sysctl_userns_restrict;
#endif
extern int sysctl_idmap_mounts;
+extern int sysctl_unprivileged_io_uring_disabled;
@@ -1939,6 +1940,15 @@ static struct ctl_table kern_table[] = {
.extra2 = SYSCTL_ONE,
},
#endif
+ {
+ .procname = "unprivileged_io_uring_disabled",
+ .data = &sysctl_unprivileged_io_uring_disabled,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = proc_dointvec_minmax,
+ .extra1 = SYSCTL_ZERO,
+ .extra2 = SYSCTL_ONE,
+ },
{
.procname = "ngroups_max",
.data = (void *)&ngroups_max,
--
2.33.6
next reply other threads:[~2023-01-26 19:50 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-26 19:50 Vitaly Chikunov [this message]
2023-01-27 17:30 ` Dmitry V. Levin
2023-01-27 20:10 ` Vitaly Chikunov
2023-01-27 20:35 ` Dmitry V. Levin
2023-01-27 22:16 ` Vitaly Chikunov
2023-01-27 21:50 ` Vladimir D. Seleznev
2023-01-30 9:26 ` Alexey Sheplyakov
2023-01-30 20:09 ` Vitaly Chikunov
2023-01-31 21:31 ` Alexey V. Vissarionov
2023-02-01 3:24 ` Vitaly Chikunov
2023-02-01 10:41 ` Alexey V. Vissarionov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230126195017.1654866-1-vt@altlinux.org \
--to=vt@altlinux.org \
--cc=devel-kernel@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux kernel packages development
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel-kernel/0 devel-kernel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel-kernel devel-kernel/ http://lore.altlinux.org/devel-kernel \
devel-kernel@altlinux.org devel-kernel@altlinux.ru devel-kernel@altlinux.com
public-inbox-index devel-kernel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel-kernel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git