Expand description
Linux io_uring context forensics.
io_uring provides an asynchronous syscall interface that bypasses
traditional syscall tracing (seccomp, ptrace, auditd). The “curing”
rootkit (2025) demonstrated full C2 via io_uring alone — IORING_OP_SENDMSG
and IORING_OP_RECVMSG allow full network I/O without triggering seccomp
SYSCALL_AUDIT events. This walker enumerates io_ring_ctx structures
attached to processes and flags those performing sensitive operations.
Re-exports§
pub use crate::heuristics::classify_io_uring;
Structs§
- IoUring
Entry - Information about an io_uring context attached to a process.
Constants§
- IORING_
OP_ CONNECT - io_uring opcode for establishing a connection (IORING_OP_CONNECT).
- IORING_
OP_ OPENAT - io_uring opcode for opening a file (IORING_OP_OPENAT).
- IORING_
OP_ READ - io_uring opcode for reading from a file descriptor (IORING_OP_READ).
- IORING_
OP_ RECVMSG - io_uring opcode for receiving a message (IORING_OP_RECVMSG).
- IORING_
OP_ SENDMSG - io_uring opcode for sending a message (IORING_OP_SENDMSG, from include/uapi/linux/io_uring.h).
- IORING_
OP_ WRITE - io_uring opcode for writing to a file descriptor (IORING_OP_WRITE).
Functions§
- walk_
io_ uring - Walk all
io_ring_ctxstructures reachable from each process’stask_struct->io_uringfield and return forensic entries.