vinyl: add io_uring restrictions

riptl · ripatel-fd · commit 6b50b6595765 · 2025-11-14T11:28:50.000-05:00
Restrict io_uring usage to READ against the bstream fd.
(Similar to seccomp with regular syscalls)
diff --git a/src/discof/vinyl/fd_vinyl_tile.c b/src/discof/vinyl/fd_vinyl_tile.c
@@ -56,6 +56,7 @@ vinyl_io_uring_params( struct io_uring_params * params,
   params->cq_entries  = uring_depth;
   params->flags      |= IORING_SETUP_COOP_TASKRUN;
   params->flags      |= IORING_SETUP_SINGLE_ISSUER;
+  params->flags      |= IORING_SETUP_R_DISABLED;
   params->features   |= IORING_SETUP_DEFER_TASKRUN;
   return params;
 }
@@ -175,6 +176,22 @@ vinyl_io_uring_init( fd_vinyl_tile_ctx_t * ctx,
 
   /* Setup io_uring file access */
   FD_TEST( 0==io_uring_register_files( ctx->ring, &dev_fd, 1 ) );
+
+  /* Register restrictions */
+  struct io_uring_restriction res[3] = {
+    { .opcode    = IORING_RESTRICTION_SQE_OP,
+      .sqe_op    = IORING_OP_READ },
+    { .opcode    = IORING_RESTRICTION_SQE_FLAGS_REQUIRED,
+      .sqe_flags = IOSQE_FIXED_FILE },
+    { .opcode    = IORING_RESTRICTION_SQE_FLAGS_ALLOWED,
+      .sqe_flags = IOSQE_IO_LINK | IOSQE_CQE_SKIP_SUCCESS }
+  };
+  int res_err = io_uring_register_restrictions( ctx->ring, res, 3U );
+  if( FD_UNLIKELY( res_err<0 ) ) FD_LOG_ERR(( "io_uring_register_restrictions failed (%i-%s)", res_err, fd_io_strerror( -res_err ) ));
+
+  /* Enable rings */
+  int enable_err = io_uring_enable_rings( ctx->ring );
+  if( FD_UNLIKELY( enable_err<0 ) ) FD_LOG_ERR(( "io_uring_enable_rings failed (%i-%s)", enable_err, fd_io_strerror( -enable_err ) ));
 }
 
 #else /* no io_uring */
diff --git a/src/vinyl/io/fd_vinyl_io_ur.c b/src/vinyl/io/fd_vinyl_io_ur.c
@@ -185,7 +185,6 @@ ur_prep_read( fd_vinyl_io_ur_t *    ur,
 
   /* Map seq0 into the bstream store. */
 
-  int   dev_fd   = ur->dev_fd;
   ulong dev_base = ur->dev_base;
   ulong dev_sz   = ur->dev_sz;
 
@@ -199,7 +198,8 @@ ur_prep_read( fd_vinyl_io_ur_t *    ur,
   rd->tsz  = (uint)rsz;
   struct io_uring_sqe * sqe = io_uring_get_sqe( ring );
   if( FD_UNLIKELY( !sqe ) ) FD_LOG_CRIT(( "io_uring_get_sqe() returned NULL despite io_uring_sq_space_left()>=2" ));
-  io_uring_prep_read( sqe, dev_fd, rd->dst, (uint)rsz, dev_base+dev_off );
+  io_uring_prep_read( sqe, 0, rd->dst, (uint)rsz, dev_base+dev_off );
+  io_uring_sqe_set_flags( sqe, IOSQE_FIXED_FILE );
   io_uring_sqe_set_data( sqe, rd );
   ur->sq_prep_cnt++;
   if( FD_LIKELY( !sz ) ) return 1U; /* optimize for the unfragmented case */
@@ -210,15 +210,16 @@ ur_prep_read( fd_vinyl_io_ur_t *    ur,
      the head read job also succeeded.  Also, set the low bit of the
      userdata to 1 (usually guaranteed to be 0 due to alignment), to
      indicate that this SQE is a head frag. */
-  io_uring_sqe_set_flags( sqe, IOSQE_IO_LINK | IOSQE_CQE_SKIP_SUCCESS );
+  io_uring_sqe_set_flags( sqe, IOSQE_FIXED_FILE | IOSQE_IO_LINK | IOSQE_CQE_SKIP_SUCCESS );
   io_uring_sqe_set_data64( sqe, (ulong)rd+1UL );
   ur->cq_cnt++;  /* Treat as already-completed in metrics */
 
   /* Prepare the tail SQE */
   rd->tsz  = (uint)sz;
   sqe = io_uring_get_sqe( ring );
   if( FD_UNLIKELY( !sqe ) ) FD_LOG_CRIT(( "io_uring_get_sqe() returned NULL despite io_uring_sq_space_left()>=2" ));
-  io_uring_prep_read( sqe, dev_fd, (uchar *)rd->dst + rsz, (uint)sz, dev_base );
+  io_uring_prep_read( sqe, 0, (uchar *)rd->dst + rsz, (uint)sz, dev_base );
+  io_uring_sqe_set_flags( sqe, IOSQE_FIXED_FILE );
   io_uring_sqe_set_data( sqe, rd );
   ur->sq_prep_cnt++;
   return 2U;
diff --git a/src/vinyl/io/test_vinyl_io_ur.c b/src/vinyl/io/test_vinyl_io_ur.c
@@ -87,6 +87,8 @@ main( int     argc,
       FD_LOG_ERR(( "io_uring_queue_init_params failed (%i-%s)", init_err, fd_io_strerror( -init_err ) ));
     }
 
+    FD_TEST( 0==io_uring_register_files( ring, &fd, 1 ) );
+
     ulong align = fd_vinyl_io_ur_align();
     FD_TEST( fd_ulong_is_pow2( align ) );
     ulong footprint = fd_vinyl_io_ur_footprint( spad_max );

Original file line number	Diff line number	Diff line change
`@@ -87,6 +87,8 @@ main( int argc,`
`87`	`87`	`FD_LOG_ERR(( "io_uring_queue_init_params failed (%i-%s)", init_err, fd_io_strerror( -init_err ) ));`
`88`	`88`	`}`
`89`	`89`
	`90`	`+ FD_TEST( 0==io_uring_register_files( ring, &fd, 1 ) );`
	`91`	`+`
`90`	`92`	`ulong align = fd_vinyl_io_ur_align();`
`91`	`93`	`FD_TEST( fd_ulong_is_pow2( align ) );`
`92`	`94`	`ulong footprint = fd_vinyl_io_ur_footprint( spad_max );`