Performance impact

Not knowing anything about io_uring, but I would have thought a "simple" fix was adding a security module pointer to the uring itself. If that contains a pointer, that is the "god" uring security monitor. Any io_uring call must register its security module with god, because, if god has been so configured, "no security module, no run ...".

That way, people who don't want the hassle/overhead just don't bother registering god with io_uring. People who are paranoid, or need accounting, or whatever, configure god to reject calls it doesn't know about (and the writers of said calls will quickly get bug reports saying "your io_uring call doesn't work - missing security module").

And if this is added *quickly*, before io_uring gets too embedded, it means that "no security module no run" is a realistic option. The later it gets left, the harder it gets to turn that on without all hell breaking loose ...

Cheers,
Wol