On Wed, Aug 26, 2020 at 12:46:24PM -0700, Kees Cook wrote:
> On Thu, Aug 13, 2020 at 05:32:53PM +0200, Stefano Garzarella wrote:
> > +/*
> > + * io_uring_restriction->opcode values
> > + */
> > +enum {
> > + /* Allow an io_uring_register(2) opcode */
> > + IORING_RESTRICTION_REGISTER_OP,
> > +
On Thu, Aug 13, 2020 at 05:32:53PM +0200, Stefano Garzarella wrote:
> +/*
> + * io_uring_restriction->opcode values
> + */
> +enum {
> + /* Allow an io_uring_register(2) opcode */
> + IORING_RESTRICTION_REGISTER_OP,
> +
> + /* Allow an sqe opcode */
> + IORING_RESTRICTION_SQE_OP,
>
The new io_uring_register(2) IOURING_REGISTER_RESTRICTIONS opcode
permanently installs a feature allowlist on an io_ring_ctx.
The io_ring_ctx can then be passed to untrusted code with the
knowledge that only operations present in the allowlist can be
executed.
The allowlist approach ensures that n
3 matches
Mail list logo
