diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0054-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch')
-rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0054-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch | 222 |
1 files changed, 0 insertions, 222 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0054-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0054-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch deleted file mode 100644 index 17012902..00000000 --- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0054-seccomp-Add-filter-flag-to-opt-out-of-SSB-mitigation.patch +++ /dev/null @@ -1,222 +0,0 @@ -From ed34265c5f460b645a0669079fbc6ad094c83c96 Mon Sep 17 00:00:00 2001 -From: Kees Cook <keescook@chromium.org> -Date: Thu, 3 May 2018 14:56:12 -0700 -Subject: [PATCH 54/93] seccomp: Add filter flag to opt-out of SSB mitigation - -commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream - -If a seccomp user is not interested in Speculative Store Bypass mitigation -by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when -adding filters. - -Signed-off-by: Kees Cook <keescook@chromium.org> -Signed-off-by: Thomas Gleixner <tglx@linutronix.de> -Signed-off-by: David Woodhouse <dwmw@amazon.co.uk> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - include/linux/seccomp.h | 3 +- - include/uapi/linux/seccomp.h | 4 +- - kernel/seccomp.c | 19 ++++--- - tools/testing/selftests/seccomp/seccomp_bpf.c | 78 ++++++++++++++++++++++++++- - 4 files changed, 93 insertions(+), 11 deletions(-) - -diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h -index ecc296c..50c460a 100644 ---- a/include/linux/seccomp.h -+++ b/include/linux/seccomp.h -@@ -3,7 +3,8 @@ - - #include <uapi/linux/seccomp.h> - --#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC) -+#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ -+ SECCOMP_FILTER_FLAG_SPEC_ALLOW) - - #ifdef CONFIG_SECCOMP - -diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h -index 0f238a4..e4acb61 100644 ---- a/include/uapi/linux/seccomp.h -+++ b/include/uapi/linux/seccomp.h -@@ -15,7 +15,9 @@ - #define SECCOMP_SET_MODE_FILTER 1 - - /* Valid flags for SECCOMP_SET_MODE_FILTER */ --#define SECCOMP_FILTER_FLAG_TSYNC 1 -+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) -+/* In v4.14+ SECCOMP_FILTER_FLAG_LOG is (1UL << 1) */ -+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) - - /* - * All BPF programs must return a 32-bit value. -diff --git a/kernel/seccomp.c b/kernel/seccomp.c -index a0bd6ea..62a60e7 100644 ---- a/kernel/seccomp.c -+++ b/kernel/seccomp.c -@@ -230,7 +230,8 @@ static inline void spec_mitigate(struct task_struct *task, - } - - static inline void seccomp_assign_mode(struct task_struct *task, -- unsigned long seccomp_mode) -+ unsigned long seccomp_mode, -+ unsigned long flags) - { - assert_spin_locked(&task->sighand->siglock); - -@@ -240,8 +241,9 @@ static inline void seccomp_assign_mode(struct task_struct *task, - * filter) is set. - */ - smp_mb__before_atomic(); -- /* Assume seccomp processes want speculation flaw mitigation. */ -- spec_mitigate(task, PR_SPEC_STORE_BYPASS); -+ /* Assume default seccomp processes want spec flaw mitigation. */ -+ if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0) -+ spec_mitigate(task, PR_SPEC_STORE_BYPASS); - set_tsk_thread_flag(task, TIF_SECCOMP); - } - -@@ -309,7 +311,7 @@ static inline pid_t seccomp_can_sync_threads(void) - * without dropping the locks. - * - */ --static inline void seccomp_sync_threads(void) -+static inline void seccomp_sync_threads(unsigned long flags) - { - struct task_struct *thread, *caller; - -@@ -350,7 +352,8 @@ static inline void seccomp_sync_threads(void) - * allow one thread to transition the other. - */ - if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) -- seccomp_assign_mode(thread, SECCOMP_MODE_FILTER); -+ seccomp_assign_mode(thread, SECCOMP_MODE_FILTER, -+ flags); - } - } - -@@ -469,7 +472,7 @@ static long seccomp_attach_filter(unsigned int flags, - - /* Now that the new filter is in place, synchronize to all threads. */ - if (flags & SECCOMP_FILTER_FLAG_TSYNC) -- seccomp_sync_threads(); -+ seccomp_sync_threads(flags); - - return 0; - } -@@ -729,7 +732,7 @@ static long seccomp_set_mode_strict(void) - #ifdef TIF_NOTSC - disable_TSC(); - #endif -- seccomp_assign_mode(current, seccomp_mode); -+ seccomp_assign_mode(current, seccomp_mode, 0); - ret = 0; - - out: -@@ -787,7 +790,7 @@ static long seccomp_set_mode_filter(unsigned int flags, - /* Do not free the successfully attached filter. */ - prepared = NULL; - -- seccomp_assign_mode(current, seccomp_mode); -+ seccomp_assign_mode(current, seccomp_mode, flags); - out: - spin_unlock_irq(¤t->sighand->siglock); - if (flags & SECCOMP_FILTER_FLAG_TSYNC) -diff --git a/tools/testing/selftests/seccomp/seccomp_bpf.c b/tools/testing/selftests/seccomp/seccomp_bpf.c -index 03f1fa4..3362f11 100644 ---- a/tools/testing/selftests/seccomp/seccomp_bpf.c -+++ b/tools/testing/selftests/seccomp/seccomp_bpf.c -@@ -1684,7 +1684,11 @@ TEST_F_SIGNAL(TRACE_syscall, kill_after_ptrace, SIGSYS) - #endif - - #ifndef SECCOMP_FILTER_FLAG_TSYNC --#define SECCOMP_FILTER_FLAG_TSYNC 1 -+#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) -+#endif -+ -+#ifndef SECCOMP_FILTER_FLAG_SPEC_ALLOW -+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) - #endif - - #ifndef seccomp -@@ -1783,6 +1787,78 @@ TEST(seccomp_syscall_mode_lock) - } - } - -+/* -+ * Test detection of known and unknown filter flags. Userspace needs to be able -+ * to check if a filter flag is supported by the current kernel and a good way -+ * of doing that is by attempting to enter filter mode, with the flag bit in -+ * question set, and a NULL pointer for the _args_ parameter. EFAULT indicates -+ * that the flag is valid and EINVAL indicates that the flag is invalid. -+ */ -+TEST(detect_seccomp_filter_flags) -+{ -+ unsigned int flags[] = { SECCOMP_FILTER_FLAG_TSYNC, -+ SECCOMP_FILTER_FLAG_SPEC_ALLOW }; -+ unsigned int flag, all_flags; -+ int i; -+ long ret; -+ -+ /* Test detection of known-good filter flags */ -+ for (i = 0, all_flags = 0; i < ARRAY_SIZE(flags); i++) { -+ int bits = 0; -+ -+ flag = flags[i]; -+ /* Make sure the flag is a single bit! */ -+ while (flag) { -+ if (flag & 0x1) -+ bits ++; -+ flag >>= 1; -+ } -+ ASSERT_EQ(1, bits); -+ flag = flags[i]; -+ -+ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); -+ ASSERT_NE(ENOSYS, errno) { -+ TH_LOG("Kernel does not support seccomp syscall!"); -+ } -+ EXPECT_EQ(-1, ret); -+ EXPECT_EQ(EFAULT, errno) { -+ TH_LOG("Failed to detect that a known-good filter flag (0x%X) is supported!", -+ flag); -+ } -+ -+ all_flags |= flag; -+ } -+ -+ /* Test detection of all known-good filter flags */ -+ ret = seccomp(SECCOMP_SET_MODE_FILTER, all_flags, NULL); -+ EXPECT_EQ(-1, ret); -+ EXPECT_EQ(EFAULT, errno) { -+ TH_LOG("Failed to detect that all known-good filter flags (0x%X) are supported!", -+ all_flags); -+ } -+ -+ /* Test detection of an unknown filter flag */ -+ flag = -1; -+ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); -+ EXPECT_EQ(-1, ret); -+ EXPECT_EQ(EINVAL, errno) { -+ TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported!", -+ flag); -+ } -+ -+ /* -+ * Test detection of an unknown filter flag that may simply need to be -+ * added to this test -+ */ -+ flag = flags[ARRAY_SIZE(flags) - 1] << 1; -+ ret = seccomp(SECCOMP_SET_MODE_FILTER, flag, NULL); -+ EXPECT_EQ(-1, ret); -+ EXPECT_EQ(EINVAL, errno) { -+ TH_LOG("Failed to detect that an unknown filter flag (0x%X) is unsupported! Does a new flag need to be added to this test?", -+ flag); -+ } -+} -+ - TEST(TSYNC_first) - { - struct sock_filter filter[] = { --- -2.7.4 - |