lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <638f241a-6ffd-4827-b5a8-760550aea2a7@kernel.dk>
Date: Wed, 21 Jan 2026 20:37:10 -0700
From: Jens Axboe <axboe@...nel.dk>
To: io-uring@...r.kernel.org
Cc: brauner@...nel.org, jannh@...gle.com, kees@...nel.org,
 linux-kernel@...r.kernel.org
Subject: Re: [PATCHSET v6] Inherited restrictions and BPF filtering for
 io_uring

On 1/19/26 4:54 PM, Jens Axboe wrote:
> Hi,
> 
> Followup to v5 here:
> 
> https://lore.kernel.org/io-uring/20260118172328.1067592-1-axboe@kernel.dk/
> 
> Mostly just addressing a bit of feedback, feature wise this is all the
> same as before. For details on the patches, see the v5 posting linked
> above. For details on the changes, see the changes section below.
> 
> Kernel branch can be found here:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux.git/log/?h=io_uring-bpf-restrictions.3
> 
> and a liburing branch with support helpers, man page, and a fairly
> substantial test case can be found here:
> 
> https://git.kernel.org/pub/scm/linux/kernel/git/axboe/liburing.git/log/?h=bpf-restrictions
> 
> Feedback welcome!
> 
> Changes since v5:
> - Disallow setting or appending filters for no_new_privs, unless the
>   user is also CAP_SYS_ADMIN (Aleksa)
> - Add support for filtering of IORING_OP_OPENAT/OPENAT2, in terms of
>   being able to deny certain resolve or creation flags.
> - Change layout of io_uring_bpf_ctx slightly, for easier/faster clearing
>   of unused members.
> - Expand liburing test cases to cover both the no_new_privs situation,
>   and testing the OPENAT/OPENAT2 filters.
> 
>  include/linux/io_uring.h                 |  14 +-
>  include/linux/io_uring_types.h           |  13 +
>  include/linux/sched.h                    |   1 +
>  include/uapi/linux/io_uring.h            |  10 +
>  include/uapi/linux/io_uring/bpf_filter.h |  62 ++++
>  io_uring/Kconfig                         |   5 +
>  io_uring/Makefile                        |   1 +
>  io_uring/bpf_filter.c                    | 436 +++++++++++++++++++++++
>  io_uring/bpf_filter.h                    |  48 +++
>  io_uring/io_uring.c                      |  48 +++
>  io_uring/io_uring.h                      |   1 +
>  io_uring/net.c                           |   9 +
>  io_uring/net.h                           |   6 +
>  io_uring/openclose.c                     |   9 +
>  io_uring/openclose.h                     |   3 +
>  io_uring/register.c                      |  91 +++++
>  io_uring/tctx.c                          |  42 ++-
>  kernel/fork.c                            |   5 +
>  18 files changed, 794 insertions(+), 10 deletions(-)

Any comments on this one?

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ