On Thu, 22 Nov 2018, Ingo Molnar wrote:
> > + [SPECTRE_V2_APP2APP_SECCOMP] = "App-App Mitigation: seccomp and
> > prctl opt-in",
>
> This description is not accurate: it's not a 'seccomp and prctl opt-in',
> the seccomp functionality is opt-out, the prctl is opt-in.
>
> So something like:
>
> > + [SPECTRE_V2_APP2APP_SECCOMP] = "App-App Mitigation: seccomp by
> > default and prctl opt-in",
Na. I just make it: "prctl" and "seccomp + prctl"
> > void arch_seccomp_spec_mitigate(struct task_struct *task)
> > {
> > if (ssb_mode == SPEC_STORE_BYPASS_SECCOMP)
> > ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
> > + if (spectre_v2_app2app == SPECTRE_V2_APP2APP_SECCOMP)
> > + indir_branch_prctl_set(task, PR_SPEC_FORCE_DISABLE);
> > }
> > #endif
>
> Hm, so isn't arch_seccomp_spec_mitigate() called right before untrusted
> seccomp code is executed? So why are we disabling the mitigation here?
It disables the CPU speculation misfeature not the mitigation. And no, we
are not going to change it because the constants are user space ABI today.
Thanks,
tglx
