.TP
.B 3
The SCMP_FLTATR_CTL_LOG filter attribute and the SCMP_ACT_LOG action are supported.
+.TP
+.B 4
+The SCMP_FLTATR_SPEC_ALLOW filter attribute is supported.
.\" //////////////////////////////////////////////////////////////////////////
.SH RETURN VALUE
.\" //////////////////////////////////////////////////////////////////////////
action. Defaults to off (
.I value
== 0).
+.TP
+.B SCMP_FLTATR_SPEC_ALLOW
+A flag to disable Speculative Store Bypass mitigations for this filter.
+Defaults to off (
+.I value
+== 0).
.\" //////////////////////////////////////////////////////////////////////////
.SH RETURN VALUE
.\" //////////////////////////////////////////////////////////////////////////
SCMP_FLTATR_CTL_TSYNC = 4, /**< sync threads on filter load */
SCMP_FLTATR_API_TSKIP = 5, /**< allow rules with a -1 syscall */
SCMP_FLTATR_CTL_LOG = 6, /**< log not-allowed actions */
+ SCMP_FLTATR_SPEC_ALLOW = 7, /**< disable SSB mitigation */
_SCMP_FLTATR_MAX,
};
* 3 : support for the SCMP_FLTATR_CTL_LOG filter attribute
* support for the SCMP_ACT_LOG action
* support for the SCMP_ACT_KILL_PROCESS action
+ * 4 : support for the SCMP_FLTATR_SPEC_ALLOW filter attrbute
*
*/
unsigned int seccomp_api_get(void);
sys_chk_seccomp_action(SCMP_ACT_LOG) == 1)
level = 3;
+ if (level == 3 &&
+ sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 1)
+ level = 4;
+
/* update the stored api level and return */
seccomp_api_level = level;
return seccomp_api_level;
sys_set_seccomp_action(SCMP_ACT_LOG, true);
sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, true);
break;
+ case 4:
+ sys_set_seccomp_syscall(true);
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_TSYNC, true);
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_LOG, true);
+ sys_set_seccomp_action(SCMP_ACT_LOG, true);
+ sys_set_seccomp_action(SCMP_ACT_KILL_PROCESS, true);
+ sys_set_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW, true);
+ break;
default:
return -EINVAL;
}
case SCMP_FLTATR_CTL_LOG:
*value = col->attr.log_enable;
break;
+ case SCMP_FLTATR_SPEC_ALLOW:
+ *value = col->attr.spec_allow;
+ break;
default:
rc = -EEXIST;
break;
rc = -EOPNOTSUPP;
}
break;
+ case SCMP_FLTATR_SPEC_ALLOW:
+ rc = sys_chk_seccomp_flag(SECCOMP_FILTER_FLAG_SPEC_ALLOW);
+ if (rc == 1) {
+ /* supported */
+ rc = 0;
+ col->attr.spec_allow = (value ? 1 : 0);
+ } else if (rc == 0) {
+ /* unsupported */
+ rc = -EOPNOTSUPP;
+ }
+ break;
default:
rc = -EEXIST;
break;
uint32_t api_tskip;
/* SECCOMP_FILTER_FLAG_LOG related attributes */
uint32_t log_enable;
+ /* SPEC_ALLOW related attributes */
+ uint32_t spec_allow;
};
struct db_filter {
SCMP_FLTATR_CTL_TSYNC
SCMP_FLTATR_API_TSKIP
SCMP_FLTATR_CTL_LOG
+ SCMP_FLTATR_SPEC_ALLOW
cdef enum scmp_compare:
SCMP_CMP_NE
CTL_TSYNC = libseccomp.SCMP_FLTATR_CTL_TSYNC
API_TSKIP = libseccomp.SCMP_FLTATR_API_TSKIP
CTL_LOG = libseccomp.SCMP_FLTATR_CTL_LOG
+ SPEC_ALLOW = libseccomp.SCMP_FLTATR_SPEC_ALLOW
cdef class Arg:
""" Python object representing a SyscallFilter syscall argument.
static int _support_seccomp_flag_log = -1;
static int _support_seccomp_action_log = -1;
static int _support_seccomp_kill_process = -1;
+static int _support_seccomp_flag_spec_allow = -1;
/**
* Check to see if the seccomp() syscall is supported
_support_seccomp_flag_log = _sys_chk_seccomp_flag_kernel(flag);
return _support_seccomp_flag_log;
+ case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
+ if (_support_seccomp_flag_spec_allow < 0)
+ _support_seccomp_flag_spec_allow = _sys_chk_seccomp_flag_kernel(flag);
+
+ return _support_seccomp_flag_spec_allow;
}
return -EOPNOTSUPP;
case SECCOMP_FILTER_FLAG_LOG:
_support_seccomp_flag_log = (enable ? 1 : 0);
break;
+ case SECCOMP_FILTER_FLAG_SPEC_ALLOW:
+ _support_seccomp_flag_spec_allow = (enable ? 1 : 0);
+ break;
}
}
flgs |= SECCOMP_FILTER_FLAG_TSYNC;
if (col->attr.log_enable)
flgs |= SECCOMP_FILTER_FLAG_LOG;
+ if (col->attr.spec_allow)
+ flgs |= SECCOMP_FILTER_FLAG_SPEC_ALLOW;
rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
if (rc > 0 && col->attr.tsync_enable)
/* always return -ESRCH if we fail to sync threads */
uint32_t val = (uint32_t)(-1);
scmp_filter_ctx ctx = NULL;
- rc = seccomp_api_set(3);
+ rc = seccomp_api_set(4);
if (rc != 0)
return EOPNOTSUPP;
goto out;
}
+
+ rc = seccomp_attr_set(ctx, SCMP_FLTATR_SPEC_ALLOW, 1);
+ if (rc == -EOPNOTSUPP)
+ goto out;
+ else if (rc != 0)
+ goto out;
+ rc = seccomp_attr_get(ctx, SCMP_FLTATR_SPEC_ALLOW, &val);
+ if (rc != 0)
+ goto out;
+ if (val != 1) {
+ rc = -1;
+ goto out;
+ }
+
rc = 0;
out:
seccomp_release(ctx);
from seccomp import *
def test():
- set_api(3)
+ set_api(4)
f = SyscallFilter(ALLOW)
if f.get_attr(Attr.ACT_DEFAULT) != ALLOW:
f.set_attr(Attr.CTL_LOG, 1)
if f.get_attr(Attr.CTL_LOG) != 1:
raise RuntimeError("Failed getting Attr.CTL_LOG")
+ f.set_attr(Attr.SPEC_ALLOW, 1)
+ if f.get_attr(Attr.SPEC_ALLOW) != 1:
+ raise RuntimeError("Failed getting Attr.SPEC_ALLOW")
test()