From 01201c0ece6374d4fe6b319a16e54b3727eee9d2 Mon Sep 17 00:00:00 2001
From: Daniel Micay <daniel.micay@grapheneos.org>
Date: Mon, 1 Jul 2024 23:11:17 -0400
Subject: [PATCH] disable io_uring without CAP_SYS_ADMIN or io_uring group

---
 deploy-initial      | 1 +
 sysctl.d/local.conf | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/deploy-initial b/deploy-initial
index 443f8af..b3eacdf 100755
--- a/deploy-initial
+++ b/deploy-initial
@@ -59,6 +59,7 @@ rsync -cv nftables/nftables-${hosts_firewall[$host]:-web}.conf $remote:/mnt/etc/
 
 ssh $remote "arch-chroot /mnt systemctl enable chronyd.service fstrim.timer logrotate.timer nftables.service plocate-updatedb.timer systemd-networkd.service sshd.service unbound.service"
 ssh $remote "arch-chroot /mnt systemctl disable remote-fs.target systemd-network-generator.service"
+ssh $remote "arch-chroot /mnt groupadd -g 2000 io_uring"
 
 ssh $remote "umask 077 && dd if=/dev/random of=/mnt/swapfile bs=1M count=$swap status=progress"
 
diff --git a/sysctl.d/local.conf b/sysctl.d/local.conf
index 92eb6a1..1c57aee 100644
--- a/sysctl.d/local.conf
+++ b/sysctl.d/local.conf
@@ -53,6 +53,9 @@ kernel.unprivileged_userns_clone = 0
 kernel.unprivileged_bpf_disabled = 1
 net.core.bpf_jit_harden = 2
 
+kernel.io_uring_disabled = 1
+kernel.io_uring_group = 2000
+
 kernel.kexec_load_disabled = 1
 
 fs.protected_regular = 2