[PATCH 3.16 022/131] seccomp: Add filter flag to opt-out of SSB mitigation

[Ben Hutchings]

3.16.59-rc1 review patch.  If anyone has any objections, please let me know.

------------------

From: Kees Cook <keesc...@chromium.org>

commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream.

If a seccomp user is not interested in Speculative Store Bypass mitigation
by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when
adding filters.

Signed-off-by: Kees Cook <keesc...@chromium.org>
Signed-off-by: Thomas Gleixner <t...@linutronix.de>
[bwh: Backported to 3.16:
 - We don't support SECCOMP_FILTER_FLAG_TSYNC or SECCOMP_FILTER_FLAG_LOG
 - Drop selftest changes]
Signed-off-by: Ben Hutchings <b...@decadent.org.uk>
---
 include/linux/seccomp.h      |  2 ++
 include/uapi/linux/seccomp.h |  3 +++
 kernel/seccomp.c             | 14 ++++++++------
 3 files changed, 13 insertions(+), 6 deletions(-)

--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -3,6 +3,8 @@
 
 #include <uapi/linux/seccomp.h>
 
+#define SECCOMP_FILTER_FLAG_MASK       SECCOMP_FILTER_FLAG_SPEC_ALLOW
+
 #ifdef CONFIG_SECCOMP
 
 #include <linux/thread_info.h>
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -14,6 +14,9 @@
 #define SECCOMP_SET_MODE_STRICT        0
 #define SECCOMP_SET_MODE_FILTER        1
 
+/* Valid flags for SECCOMP_SET_MODE_FILTER */
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2)
+
 /*
  * All BPF programs must return a 32-bit value.
  * The bottom 16-bits are for optional return data.
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -220,11 +220,13 @@ static inline void spec_mitigate(struct
                arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
 }
 
-static inline void seccomp_assign_mode(unsigned long seccomp_mode)
+static inline void seccomp_assign_mode(unsigned long seccomp_mode,
+                                      unsigned long flags)
 {
        current->seccomp.mode = seccomp_mode;
-       /* Assume seccomp processes want speculation flaw mitigation. */
-       spec_mitigate(current, PR_SPEC_STORE_BYPASS);
+       /* Assume default seccomp processes want spec flaw mitigation. */
+       if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
+               spec_mitigate(current, PR_SPEC_STORE_BYPASS);
        set_tsk_thread_flag(current, TIF_SECCOMP);
 }
 
@@ -524,7 +526,7 @@ static long seccomp_set_mode_strict(void
 #ifdef TIF_NOTSC
        disable_TSC();
 #endif
-       seccomp_assign_mode(seccomp_mode);
+       seccomp_assign_mode(seccomp_mode, 0);
        ret = 0;
 
 out:
@@ -553,7 +555,7 @@ static long seccomp_set_mode_filter(unsi
        long ret = -EINVAL;
 
        /* Validate flags. */
-       if (flags != 0)
+       if (flags & ~SECCOMP_FILTER_FLAG_MASK)
                goto out;
 
        if (!seccomp_may_assign_mode(seccomp_mode))
@@ -563,7 +565,7 @@ static long seccomp_set_mode_filter(unsi
        if (ret)
                goto out;
 
-       seccomp_assign_mode(seccomp_mode);
+       seccomp_assign_mode(seccomp_mode, flags);
 out:
        return ret;
 }