3.16.59-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook keescook@chromium.org
commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream.
If a seccomp user is not interested in Speculative Store Bypass mitigation by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when adding filters.
Signed-off-by: Kees Cook keescook@chromium.org Signed-off-by: Thomas Gleixner tglx@linutronix.de [bwh: Backported to 3.16: - We don't support SECCOMP_FILTER_FLAG_TSYNC or SECCOMP_FILTER_FLAG_LOG - Drop selftest changes] Signed-off-by: Ben Hutchings ben@decadent.org.uk --- include/linux/seccomp.h | 2 ++ include/uapi/linux/seccomp.h | 3 +++ kernel/seccomp.c | 14 ++++++++------ 3 files changed, 13 insertions(+), 6 deletions(-)
--- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -3,6 +3,8 @@
#include <uapi/linux/seccomp.h>
+#define SECCOMP_FILTER_FLAG_MASK SECCOMP_FILTER_FLAG_SPEC_ALLOW + #ifdef CONFIG_SECCOMP
#include <linux/thread_info.h> --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -14,6 +14,9 @@ #define SECCOMP_SET_MODE_STRICT 0 #define SECCOMP_SET_MODE_FILTER 1
+/* Valid flags for SECCOMP_SET_MODE_FILTER */ +#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) + /* * All BPF programs must return a 32-bit value. * The bottom 16-bits are for optional return data. --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -220,11 +220,13 @@ static inline void spec_mitigate(struct arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE); }
-static inline void seccomp_assign_mode(unsigned long seccomp_mode) +static inline void seccomp_assign_mode(unsigned long seccomp_mode, + unsigned long flags) { current->seccomp.mode = seccomp_mode; - /* Assume seccomp processes want speculation flaw mitigation. */ - spec_mitigate(current, PR_SPEC_STORE_BYPASS); + /* Assume default seccomp processes want spec flaw mitigation. */ + if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0) + spec_mitigate(current, PR_SPEC_STORE_BYPASS); set_tsk_thread_flag(current, TIF_SECCOMP); }
@@ -524,7 +526,7 @@ static long seccomp_set_mode_strict(void #ifdef TIF_NOTSC disable_TSC(); #endif - seccomp_assign_mode(seccomp_mode); + seccomp_assign_mode(seccomp_mode, 0); ret = 0;
out: @@ -553,7 +555,7 @@ static long seccomp_set_mode_filter(unsi long ret = -EINVAL;
/* Validate flags. */ - if (flags != 0) + if (flags & ~SECCOMP_FILTER_FLAG_MASK) goto out;
if (!seccomp_may_assign_mode(seccomp_mode)) @@ -563,7 +565,7 @@ static long seccomp_set_mode_filter(unsi if (ret) goto out;
- seccomp_assign_mode(seccomp_mode); + seccomp_assign_mode(seccomp_mode, flags); out: return ret; }