From 142b14c4f5304e16e5b2d3bb80be8672a96ff82a Mon Sep 17 00:00:00 2001
From: dvdksn <dvdksn@users.noreply.github.com>
Date: Fri, 20 Mar 2026 15:52:03 +0100
Subject: [PATCH] docs: add io_uring_* syscalls to seccomp significant syscalls
 table

The io_uring_enter, io_uring_register, and io_uring_setup syscalls were
removed from Docker's default seccomp allowlist in moby/moby#46762 due
to security vulnerabilities that can be exploited to escape containers.
Add them to the significant blocked syscalls table.

Fixes #23784
---
 content/manuals/engine/security/seccomp.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/content/manuals/engine/security/seccomp.md b/content/manuals/engine/security/seccomp.md
index d85bcaed6aec..c547bb5194bc 100644
--- a/content/manuals/engine/security/seccomp.md
+++ b/content/manuals/engine/security/seccomp.md
@@ -71,6 +71,9 @@ the reason each syscall is blocked rather than white-listed.
 | `init_module`       | Deny manipulation and functions on kernel modules. Also gated by `CAP_SYS_MODULE`.                                                                                                                                                             |
 | `ioperm`            | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`.                                                                                                                                               |
 | `iopl`              | Prevent containers from modifying kernel I/O privilege levels. Already gated by `CAP_SYS_RAWIO`.                                                                                                                                               |
+| `io_uring_enter`    | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762).                                                                                      |
+| `io_uring_register` | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762).                                                                                      |
+| `io_uring_setup`    | Blocked due to security vulnerabilities that can be exploited to break out of containers. See [moby/moby#46762](https://github.com/moby/moby/pull/46762).                                                                                      |
 | `kcmp`              | Restrict process inspection capabilities, already blocked by dropping `CAP_SYS_PTRACE`.                                                                                                                                                        |
 | `kexec_file_load`   | Sister syscall of `kexec_load` that does the same thing, slightly different arguments. Also gated by `CAP_SYS_BOOT`.                                                                                                                           |
 | `kexec_load`        | Deny loading a new kernel for later execution. Also gated by `CAP_SYS_BOOT`.                                                                                                                                                                   |