io_uring and seccomp

Till now I just known that io_uring is not enabled by default while using container (in the past day XD).

A side effect is that io_uring effectively bypasses the protections provided by seccomp filtering — we can't filter out syscalls we never make! This isn't a security vulnerability per se, but something you should keep in mind if you have especially paranoid seccomp rules. ¹

Fortunately, moby and containerd have already added allow list for io_uring in seccomp filters. ²³

But @tgross still suggest to to check up on if you're expecting seccomp filtering to harden your applications.