No io_uring explainer is complete without a comprehensive running list of all the vulnerabilities discovered (so far) and the consequent API and behavior changes. This one, unfortunately, has been static since 2020, which means it comes from the time when io_uring seemed like it might be a fairly OK idea, instead of the toxic waste spill it turned out to be.
What is it with io_uring and btrfs in particular that gives people a compulsive urge to bring up bugs from years ago as proof that they should never be used. Yeah, huge complicated new subsystems land with bugs, and then they gradually get fixed. I’m sorry we can’t all ship perfect bug-free software on the first release, please be kind to us mere mortals.
That is a ridiculous statement.
In the case of userns exploits there have been many and it means that every unprivileged user can obtain root on the machine.
Whereas rootful docker is a well known thing, run on millions of machines, and none of the vulnerabilities discovered in its entire existence is as bad as any single priv escalation issue caused by allowing unprivileged users to create a user namespace.
The legends on the graphs are so small, that I can't read them on my smartphone ... and of course the Website does not allow me to zoom in >_>
From 5 years ago - https://news.ycombinator.com/item?id=23132549
8 Months - https://news.ycombinator.com/item?id=42608436
No io_uring explainer is complete without a comprehensive running list of all the vulnerabilities discovered (so far) and the consequent API and behavior changes. This one, unfortunately, has been static since 2020, which means it comes from the time when io_uring seemed like it might be a fairly OK idea, instead of the toxic waste spill it turned out to be.
While the situation has improved, if your threat model is such you can block io_uring during boot or in containers with a seccomp policy:
What is it with io_uring and btrfs in particular that gives people a compulsive urge to bring up bugs from years ago as proof that they should never be used. Yeah, huge complicated new subsystems land with bugs, and then they gradually get fixed. I’m sorry we can’t all ship perfect bug-free software on the first release, please be kind to us mere mortals.
io_uring is fundamentally under-designed and will never work correctly. It cannot be incrementally reformed.
Care to elaborate?
Also user namespaces have had a long list of vulnerabilities, but that's still better than running docker as root directly.
That is a ridiculous statement. In the case of userns exploits there have been many and it means that every unprivileged user can obtain root on the machine.
Whereas rootful docker is a well known thing, run on millions of machines, and none of the vulnerabilities discovered in its entire existence is as bad as any single priv escalation issue caused by allowing unprivileged users to create a user namespace.
Hrmm. "Take over the entire machine" type vulnerabilities, or "these namespaces weren't quite as isolated as we thought" vulnerabilities?
Escalating from an unprivileged user to root by creating userns and exploiting various things in the kernel along the way.
The latter can easily propagate to the former if seccomp/AppArmor/MAC isn't set properly.
CVEs are publicly available
All critical flaws seen so far have seen patches and fixes.