diff options
| author | Kees Cook <keescook@chromium.org> | 2018-05-01 18:07:31 -0400 |
|---|---|---|
| committer | Thomas Gleixner <tglx@linutronix.de> | 2018-05-03 07:55:52 -0400 |
| commit | 5c3070890d06ff82eecb808d02d2ca39169533ef (patch) | |
| tree | 61123edee3ab9386a4314c3ce8267007471c0874 /kernel | |
| parent | fae1fa0fc6cca8beee3ab8ed71d54f9a78fa3f64 (diff) | |
seccomp: Enable speculation flaw mitigations
When speculation flaw mitigations are opt-in (via prctl), using seccomp
will automatically opt-in to these protections, since using seccomp
indicates at least some level of sandboxing is desired.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/seccomp.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c index dc77548167ef..9f34533046aa 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c | |||
| @@ -19,6 +19,8 @@ | |||
| 19 | #include <linux/compat.h> | 19 | #include <linux/compat.h> |
| 20 | #include <linux/coredump.h> | 20 | #include <linux/coredump.h> |
| 21 | #include <linux/kmemleak.h> | 21 | #include <linux/kmemleak.h> |
| 22 | #include <linux/nospec.h> | ||
| 23 | #include <linux/prctl.h> | ||
| 22 | #include <linux/sched.h> | 24 | #include <linux/sched.h> |
| 23 | #include <linux/sched/task_stack.h> | 25 | #include <linux/sched/task_stack.h> |
| 24 | #include <linux/seccomp.h> | 26 | #include <linux/seccomp.h> |
| @@ -227,6 +229,19 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode) | |||
| 227 | return true; | 229 | return true; |
| 228 | } | 230 | } |
| 229 | 231 | ||
| 232 | /* | ||
| 233 | * If a given speculation mitigation is opt-in (prctl()-controlled), | ||
| 234 | * select it, by disabling speculation (enabling mitigation). | ||
| 235 | */ | ||
| 236 | static inline void spec_mitigate(struct task_struct *task, | ||
| 237 | unsigned long which) | ||
| 238 | { | ||
| 239 | int state = arch_prctl_spec_ctrl_get(task, which); | ||
| 240 | |||
| 241 | if (state > 0 && (state & PR_SPEC_PRCTL)) | ||
| 242 | arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE); | ||
| 243 | } | ||
| 244 | |||
| 230 | static inline void seccomp_assign_mode(struct task_struct *task, | 245 | static inline void seccomp_assign_mode(struct task_struct *task, |
| 231 | unsigned long seccomp_mode) | 246 | unsigned long seccomp_mode) |
| 232 | { | 247 | { |
| @@ -238,6 +253,8 @@ static inline void seccomp_assign_mode(struct task_struct *task, | |||
| 238 | * filter) is set. | 253 | * filter) is set. |
| 239 | */ | 254 | */ |
| 240 | smp_mb__before_atomic(); | 255 | smp_mb__before_atomic(); |
| 256 | /* Assume seccomp processes want speculation flaw mitigation. */ | ||
| 257 | spec_mitigate(task, PR_SPEC_STORE_BYPASS); | ||
| 241 | set_tsk_thread_flag(task, TIF_SECCOMP); | 258 | set_tsk_thread_flag(task, TIF_SECCOMP); |
| 242 | } | 259 | } |
| 243 | 260 | ||