[PATCH 3.16 022/131] seccomp: Add filter flag to opt-out of SSB mitigation

From: Ben Hutchings
Date: Sat Sep 29 2018 - 17:50:03 EST

Next message: Ben Hutchings: "[PATCH 3.16 027/131] Documentation/spec_ctrl: Do some minor cleanups"
Previous message: Ben Hutchings: "[PATCH 3.16 029/131] x86/bugs: Make cpu_show_common() static"
In reply to: Ben Hutchings: "[PATCH 3.16 029/131] x86/bugs: Make cpu_show_common() static"
Next in thread: Ben Hutchings: "[PATCH 3.16 027/131] Documentation/spec_ctrl: Do some minor cleanups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

3.16.59-rc1 review patch. If anyone has any objections, please let me know.

------------------

From: Kees Cook <keescook@xxxxxxxxxxxx>

commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream.

If a seccomp user is not interested in Speculative Store Bypass mitigation
by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when
adding filters.

Signed-off-by: Kees Cook <keescook@xxxxxxxxxxxx>
Signed-off-by: Thomas Gleixner <tglx@xxxxxxxxxxxxx>
[bwh: Backported to 3.16:
- We don't support SECCOMP_FILTER_FLAG_TSYNC or SECCOMP_FILTER_FLAG_LOG
- Drop selftest changes]
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
include/linux/seccomp.h | 2 ++
include/uapi/linux/seccomp.h | 3 +++
kernel/seccomp.c | 14 ++++++++------
3 files changed, 13 insertions(+), 6 deletions(-)

--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -3,6 +3,8 @@

#include <uapi/linux/seccomp.h>

+#define SECCOMP_FILTER_FLAG_MASK SECCOMP_FILTER_FLAG_SPEC_ALLOW
+
#ifdef CONFIG_SECCOMP

#include <linux/thread_info.h>
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -14,6 +14,9 @@
#define SECCOMP_SET_MODE_STRICT 0
#define SECCOMP_SET_MODE_FILTER 1

+/* Valid flags for SECCOMP_SET_MODE_FILTER */
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
+
/*
* All BPF programs must return a 32-bit value.
* The bottom 16-bits are for optional return data.
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -220,11 +220,13 @@ static inline void spec_mitigate(struct
arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
}

-static inline void seccomp_assign_mode(unsigned long seccomp_mode)
+static inline void seccomp_assign_mode(unsigned long seccomp_mode,
+ unsigned long flags)
{
current->seccomp.mode = seccomp_mode;
- /* Assume seccomp processes want speculation flaw mitigation. */
- spec_mitigate(current, PR_SPEC_STORE_BYPASS);
+ /* Assume default seccomp processes want spec flaw mitigation. */
+ if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
+ spec_mitigate(current, PR_SPEC_STORE_BYPASS);
set_tsk_thread_flag(current, TIF_SECCOMP);
}

@@ -524,7 +526,7 @@ static long seccomp_set_mode_strict(void
#ifdef TIF_NOTSC
disable_TSC();
#endif
- seccomp_assign_mode(seccomp_mode);
+ seccomp_assign_mode(seccomp_mode, 0);
ret = 0;

out:
@@ -553,7 +555,7 @@ static long seccomp_set_mode_filter(unsi
long ret = -EINVAL;

/* Validate flags. */
- if (flags != 0)
+ if (flags & ~SECCOMP_FILTER_FLAG_MASK)
goto out;

if (!seccomp_may_assign_mode(seccomp_mode))
@@ -563,7 +565,7 @@ static long seccomp_set_mode_filter(unsi
if (ret)
goto out;

- seccomp_assign_mode(seccomp_mode);
+ seccomp_assign_mode(seccomp_mode, flags);
out:
return ret;
}

Next message: Ben Hutchings: "[PATCH 3.16 027/131] Documentation/spec_ctrl: Do some minor cleanups"
Previous message: Ben Hutchings: "[PATCH 3.16 029/131] x86/bugs: Make cpu_show_common() static"
In reply to: Ben Hutchings: "[PATCH 3.16 029/131] x86/bugs: Make cpu_show_common() static"
Next in thread: Ben Hutchings: "[PATCH 3.16 027/131] Documentation/spec_ctrl: Do some minor cleanups"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]