Open prettySongbird opened 1 year ago
Starting with Linux 6.6 the io_uring feature can be easily disabled: https://www.phoronix.com/news/Linux-6.6-sysctl-IO_uring
This sounds like a reasonable request and quite straight forward way to do it. I'll make sure this lands in all trees asap.
Grsecurity hardcodes this - i have branch specifically enabling it for a required use-case. If they consider it too dangerous given the myriad of defenses built into their patches, its probably not a great thing to have sitting around.
@prettySongbird Android doesn't disable io_uring but rather only allows the core system fastbootd and snapuserd processes to use io_uring via the static full system SELinux policy. Similarly, it has rules for using userfaultfd and generic ioctl filtering where specific ioctl commands are whitelisted for specific devices.
The io_uring system call continues to be the source of many security issues. As a consequence, google disables this feature on their systems, including ChromeOS and Android. https://www.phoronix.com/news/Google-Restricting-IO_uring
It would probably be a good idea to do the same for linux-hardening