docs: add io_uring_* syscalls to seccomp significant syscalls table

The io_uring_enter, io_uring_register, and io_uring_setup syscalls were removed from Docker's default seccomp allowlist in moby/moby#46762 due to security vulnerabilities that can be exploited to escape containers. Add them to the significant blocked syscalls table. Fixes #23784
2026-03-27 06:18:55 +07:00 · 2026-03-20 15:52:03 +01:00
parent 369f69bd8c
commit 142b14c4f5
1 changed files with 3 additions and 0 deletions
--- a/content/manuals/engine/security/seccomp.md
+++ b/content/manuals/engine/security/seccomp.md
@@ -71,6 +71,9 @@ the reason each syscall is blocked rather than white-listed.
 | `init_module`       | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`.                                                                                                                                                             |
 | `ioperm`            | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`.                                                                                                                                               |
 | `iopl`              | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`.                                                                                                                                               |
+| `io_uring_enter`    | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762).                                                                                      |
+| `io_uring_register` | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762).                                                                                      |
+| `io_uring_setup`    | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762).                                                                                      |
 | `kcmp`              | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`.                                                                                                                                                        |
 | `kexec_file_load`   | Sister syscall of `kexec_load` that does the same thing, slightly different arguments. Also gated by `CAP_SYS_BOOT`.                                                                                                                           |
 | `kexec_load`        | Deny loading a new kernel for later execution. Also gated by `CAP_SYS_BOOT`.                                                                                                                                                                   |