4.4-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner tglx@linutronix.de
commit b849a812f7eb92e96d1c8239b06581b2cfd8b275 upstream
Use PR_SPEC_FORCE_DISABLE in seccomp() because seccomp does not allow to widen restrictions.
Signed-off-by: Thomas Gleixner tglx@linutronix.de Signed-off-by: David Woodhouse dwmw@amazon.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Srivatsa S. Bhat srivatsa@csail.mit.edu Reviewed-by: Matt Helsley (VMware) matt.helsley@gmail.com Reviewed-by: Alexey Makhalov amakhalov@vmware.com Reviewed-by: Bo Gan ganb@vmware.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org ---
kernel/seccomp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -226,7 +226,7 @@ static inline void spec_mitigate(struct int state = arch_prctl_spec_ctrl_get(task, which);
if (state > 0 && (state & PR_SPEC_PRCTL)) - arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE); + arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE); }
static inline void seccomp_assign_mode(struct task_struct *task,