seccomp: Enable speculation flaw mitigations

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When speculation flaw mitigations are opt-in (via prctl), using seccomp
will automatically opt-in to these protections, since using seccomp
indicates at least some level of sandboxing is desired.

Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

authored by

Kees Cook and committed by

Thomas Gleixner 8 years ago 5c307089 fae1fa0f

+17

1 changed file

expand all

kernel

seccomp.c

+17

kernel/seccomp.c

··· 19 19 #include <linux/compat.h> 20 20 #include <linux/coredump.h> 21 21 #include <linux/kmemleak.h> 22 + #include <linux/nospec.h> 23 + #include <linux/prctl.h> 22 24 #include <linux/sched.h> 23 25 #include <linux/sched/task_stack.h> 24 26 #include <linux/seccomp.h> ··· 229 227 return true; 230 228 } 231 229 230 + /* 231 + * If a given speculation mitigation is opt-in (prctl()-controlled), 232 + * select it, by disabling speculation (enabling mitigation). 233 + */ 234 + static inline void spec_mitigate(struct task_struct *task, 235 + unsigned long which) 236 + { 237 + int state = arch_prctl_spec_ctrl_get(task, which); 238 + 239 + if (state > 0 && (state & PR_SPEC_PRCTL)) 240 + arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE); 241 + } 242 + 232 243 static inline void seccomp_assign_mode(struct task_struct *task, 233 244 unsigned long seccomp_mode) 234 245 { ··· 253 238 * filter) is set. 254 239 */ 255 240 smp_mb__before_atomic(); 241 + /* Assume seccomp processes want speculation flaw mitigation. */ 242 + spec_mitigate(task, PR_SPEC_STORE_BYPASS); 256 243 set_tsk_thread_flag(task, TIF_SECCOMP); 257 244 } 258 245