Skip to content

Commit 142b14c

Browse files
dvdksndvdksn
committed
docs: add io_uring_* syscalls to seccomp significant syscalls table
The io_uring_enter, io_uring_register, and io_uring_setup syscalls were removed from Docker's default seccomp allowlist in moby/moby#46762 due to security vulnerabilities that can be exploited to escape containers. Add them to the significant blocked syscalls table. Fixes #23784
1 parent 369f69b commit 142b14c

File tree

1 file changed

+3
-0
lines changed

1 file changed

+3
-0
lines changed

content/manuals/engine/security/seccomp.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -71,6 +71,9 @@ the reason each syscall is blocked rather than white-listed.
7171
| `init_module` | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`. |
7272
| `ioperm` | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`. |
7373
| `iopl` | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`. |
74+
| `io_uring_enter` | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762). |
75+
| `io_uring_register` | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762). |
76+
| `io_uring_setup` | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762). |
7477
| `kcmp` | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`. |
7578
| `kexec_file_load` | Sister syscall of `kexec_load` that does the same thing, slightly different arguments. Also gated by `CAP_SYS_BOOT`. |
7679
| `kexec_load` | Deny loading a new kernel for later execution. Also gated by `CAP_SYS_BOOT`. |

0 commit comments

Comments
 (0)