It's still seccomp'd off in most environments because io-uring is still a seccomp bypass that doesn't play well with kernel security systems (audit subsystem), even if it weren't also like the #1 or #2 exploit vector for privesc.
It's still seccomp'd off in most environments because io-uring is still a seccomp bypass that doesn't play well with kernel security systems (audit subsystem), even if it weren't also like the #1 or #2 exploit vector for privesc.
That’s solved as of last week, you can use cBPF now to disable functionality.
How solved? AFAIK it's not meaningfully shipped but happy to hear otherwise.
you can now disable opertions with cBPF, like you would be able to with seccomp for normal syscalls.