Describe the feature

Since Linux 5.1 (2019), io-uring has added another way to perform (some) syscalls operations aynchronously.

Unfortunately operations submitted to io-uring are completely invisible to seccomp, so if I block some syscall with restrict, someone could still smuggle the same operation through io-uring and it would not be blocked.

Describe the solution you'd like

I don't know if there's anything reasonable that can be done in userspace to filter io-uring commands in a fine-grained way, so probably restrict should offer a simple way to completely block io-uring.

Possibly this should be made an opt-out default, or at least documented very prominently, since users might think they have successfully blocked a syscall, when actually the whole seccomp system can be bypassed with this >5 year old Linux feature.