News: 0000830504

Kees Cook [1]catches up with the security-relevant changes in the 5.6 kernel release. " With my 'attack surface reduction' hat on, I remain personally suspicious of the io_uring() family of APIs, but I can’t deny their utility for certain kinds of workloads. Being able to pipeline reads and writes without the overhead of actually making syscalls is pretty great for performance. Jens Axboe has added the IORING_OP_OPENAT command so that existing io_urings can open files to be added on the fly to the mapping of available read/write targets of a given io_uring. While LSMs are still happily able to intercept these actions, I remain wary of the growing 'syscall multiplexer' that io_uring is becoming. "



[1] https://outflux.net/blog/archives/2020/09/02/security-things-in-linux-v5-6/