From a48ddf4a208b24eadea82f0eac62e236f2acf004 Mon Sep 17 00:00:00 2001
From: Vinayak Goyal <vinaygo@google.com>
Date: Thu, 2 Nov 2023 01:16:03 +0000
Subject: [PATCH] Don't allow io_uring related syscalls in the RuntimeDefault
 seccomp profile.

Signed-off-by: Vinayak Goyal <vinaygo@google.com>
---
 contrib/seccomp/seccomp_default.go      |  3 ---
 contrib/seccomp/seccomp_default_test.go | 36 +++++++++++++++++++++++++
 2 files changed, 36 insertions(+), 3 deletions(-)
 create mode 100644 contrib/seccomp/seccomp_default_test.go

diff --git a/contrib/seccomp/seccomp_default.go b/contrib/seccomp/seccomp_default.go
index c5416a061..f0a34fc1b 100644
--- a/contrib/seccomp/seccomp_default.go
+++ b/contrib/seccomp/seccomp_default.go
@@ -183,9 +183,6 @@ func DefaultProfile(sp *specs.Spec) *specs.LinuxSeccomp {
 				"ioprio_set",
 				"io_setup",
 				"io_submit",
-				"io_uring_enter",
-				"io_uring_register",
-				"io_uring_setup",
 				"ipc",
 				"kill",
 				"landlock_add_rule",
diff --git a/contrib/seccomp/seccomp_default_test.go b/contrib/seccomp/seccomp_default_test.go
new file mode 100644
index 000000000..53e386809
--- /dev/null
+++ b/contrib/seccomp/seccomp_default_test.go
@@ -0,0 +1,36 @@
+package seccomp
+
+import (
+	"testing"
+
+	"github.com/opencontainers/runtime-spec/specs-go"
+)
+
+func TestIOUringIsNotAllowed(t *testing.T) {
+
+	disallowed := map[string]bool{
+		"io_uring_enter":    true,
+		"io_uring_register": true,
+		"io_uring_setup":    true,
+	}
+
+	got := DefaultProfile(&specs.Spec{
+		Process: &specs.Process{
+			Capabilities: &specs.LinuxCapabilities{
+				Bounding: []string{},
+			},
+		},
+	})
+
+	for _, config := range got.Syscalls {
+		if config.Action != specs.ActAllow {
+			continue
+		}
+
+		for _, name := range config.Names {
+			if disallowed[name] {
+				t.Errorf("found disallowed io_uring related syscalls")
+			}
+		}
+	}
+}