That’s solved as of last week, you can use cBPF now to disable functionality.

insanitybit · 2026-06-21T10:27:05 1782037625

How solved? AFAIK it's not meaningfully shipped but happy to hear otherwise.

Asmod4n · 2026-06-21T13:29:35 1782048575

you can now disable opertions with cBPF, like you would be able to with seccomp for normal syscalls.

cyphar · 2026-06-21T21:50:50 1782078650

Their point is that that functionality is not available on older kernels (such as those in RHEL 9 and 10) and so most sandboxes will continue to block it outright for a while, though eventually one would expect Red Hat to backport it.

(We haven't even added support for the new cBPF io_uring stuff to low-level container runtimes like runc yet, though I did review the patchset on LKML earlier this year and planned to get working on it when I have time. But as it requires spec changes, expect it to take 6-12 months at best...)

Asmod4n · 2026-06-22T08:42:49 1782117769

Thanks for that! Hope 2027 will then be the year we get the speed back all those spectre etc mitgitations ate for those syscalls io_uring can replace.