Bypass seccomp-bpf based `socket(2)` restrictions with `io_uring` ================================================================= Since Linux 5.19 (Aug 2022) `io_uring` can be used to create sockets just like `socket(2)` does [1] [2]. This can be used to create sockets when `io_uring` is allowed but the socket syscall is blocked by a seccomp filter. `io_uring` is allowed by default but can be restricted/disabled with an sysctl knob since Linux 6.6 [3]. [1]: https://man7.org/linux/man-pages/man2/io_uring_enter.2.html [2]: https://github.com/torvalds/linux/commit/1374e08e2d44863c931910797852589803997668 [3]: https://www.phoronix.com/news/Linux-6.6-sysctl-IO_uring Some architectures like x86-32 do not implement `socket(2)` as an syscall. Socket related syscalls are multiplex through `socketcall(2)` and can not be filtered with seccomp-bpf. There is nothing to bypass then. ### systemd `RestrictAddressFamilies=` ```console $ cargo build --release $ systemd-run --user -q -t -p "RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 AF_NETLINK" ./target/release/io_uring_socket socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0): Address family not supported by protocol (os error 97) io_uring:socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0): 4 ``` `io_uring` is allowed with `SystemCallFilter=@system-service`. ### flatpak ```console $ cargo build --release $ flatpak run --command=./target/release/io_uring_socket --filesystem=$PWD com.github.tchx84.Flatseal socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0): Address family not supported by protocol (os error 97) io_uring:socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0): 4 ``` ### firejail `--protocol` ```console $ cargo build --release $ firejail --quiet --noprofile --protocol=unix,inet,inet6,netlink ./target/release/io_uring_socket socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0): Operation not supported (os error 95) io_uring:socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0): 4 ``` ### crablock `--seccomp-restrict-socket` ```console $ cargo build --release $ crablock --seccomp-restrict-socket "AF_UNIX,,;AF_INET,,;AF_INET6,,;AF_NETLINK,," -- ./target/release/io_uring_socket socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0): Permission denied (os error 13) io_uring:socket(AF_VSOCK, SOCK_STREAM | SOCK_CLOEXEC, 0): 4 ``` --- Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved. This file is offered as-is, without any warranty.