git.ipfire.org Git - thirdparty/linux.git/commit

author	Jens Axboe <axboe@kernel.dk>
	Thu, 8 Jan 2026 17:18:31 +0000 (10:18 -0700)
committer	Jens Axboe <axboe@kernel.dk>
	Fri, 6 Feb 2026 14:29:19 +0000 (07:29 -0700)
commit	ed82f35b926b2e505c14b7006473614b8f58b4f4
tree	ad7d9b985dc26d60349174c2590dc110a2c4f40b	tree
parent	9fd99788f3e5a129908c242bb29946077ca46611	commit \| diff

io_uring: allow registration of per-task restrictions

Currently io_uring supports restricting operations on a per-ring basis.
To use those, the ring must be setup in a disabled state by setting
IORING_SETUP_R_DISABLED. Then restrictions can be set for the ring, and
the ring can then be enabled.

This commit adds support for IORING_REGISTER_RESTRICTIONS with ring_fd
== -1, like the other "blind" register opcodes which work on the task
rather than a specific ring. This allows registration of the same kind
of restrictions as can been done on a specific ring, but with the task
itself. Once done, any ring created will inherit these restrictions.

If a restriction filter is registered with a task, then it's inherited
on fork for its children. Children may only further restrict operations,
not extend them.

Inheriting restrictions include both the classic
IORING_REGISTER_RESTRICTIONS based restrictions, as well as the BPF
filters that have been registered with the task via
IORING_REGISTER_BPF_FILTER.

Signed-off-by: Jens Axboe <axboe@kernel.dk>

include/linux/io_uring_types.h		diff \| blob \| blame \| history
include/uapi/linux/io_uring.h		diff \| blob \| blame \| history
io_uring/bpf_filter.c		diff \| blob \| blame \| history
io_uring/bpf_filter.h		diff \| blob \| blame \| history
io_uring/io_uring.c		diff \| blob \| blame \| history
io_uring/io_uring.h		diff \| blob \| blame \| history
io_uring/register.c		diff \| blob \| blame \| history
io_uring/tctx.c		diff \| blob \| blame \| history