io_uring is blocked by the default seccomp profile

[bgemmill]

Description

The default seccomp profile supports the aio family of functions, but not the io_uring family of functions.

Reproduce

1. Attempt to run a program based on io_uring inside a docker container
2. The ring fails to initialize with operation not permitted

Expected behavior

io_uring initializes and runs

docker version

Client: Docker Engine - Community
 Version:           25.0.4
 API version:       1.44
 Go version:        go1.21.8
 Git commit:        1a576c5
 Built:             Wed Mar  6 16:32:12 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          25.0.4
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.8
  Git commit:       061aa95
  Built:            Wed Mar  6 16:32:12 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

docker info

Client: Docker Engine - Community
 Version:    25.0.4
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.13.0
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v2.24.7
    Path:     /usr/libexec/docker/cli-plugins/docker-compose
  scan: Docker Scan (Docker Inc.)
    Version:  v0.23.0
    Path:     /usr/libexec/docker/cli-plugins/docker-scan

Server:
 Containers: 1
  Running: 1
  Paused: 0
  Stopped: 0
 Images: 5
 Server Version: 25.0.4
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc version: v1.1.12-0-g51d5e94
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.5.0-21-generic
 Operating System: Linux Mint 21.3
 OSType: linux
 Architecture: x86_64
 CPUs: 20
 Total Memory: 62.5GiB
 Name: spore
 ID: ZIHG:IUVG:WBMF:SWXK:7BIZ:WGNV:WDLY:B2FI:YHT7:LI2X:MV7G:D3HB
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: project5
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

Additional Info

No response

[thaJeztah]

Thanks for reporting. These syscalls were allowed at some point, but that change was reverted / removed for security considerations.

More context can be found in the pull request below, which also has links to related pull-requests and discussions both in this repository and in the containerd project;

• seccomp: block io_uring_* syscalls in default profile #46762

Based on the above, I don't think we'll be adding those back in the default profile, and if these are needed for your specific use-case, you may need to define a custom seccomp profile.

I'll close this ticket for that reason, but feel free to continue the conversation.

[bgemmill]

Thanks for the heads up as to why it's not the default. I'm trying to deploy a container that uses io_uring via docker swarm, and it doesn't look like seccomp=unconfined can be passed as a service option currently:
issue: #41371
epic: #25303

Is that reasonable to add to swarm compose files, or will I have to use daemon.json on each box?