seccomp: Move speculation migitation control to arch code

The migitation control is simpler to implement in architecture code as it
avoids the extra function call to check the mode. Aside of that having an
explicit seccomp enabled mode in the architecture mitigations would require
even more workarounds.

Move it into architecture code and provide a weak function in the seccomp
code. Remove the 'which' argument as this allows the architecture to decide
which mitigations are relevant for seccomp.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
CVE-2018-3639 (x86)

Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index 5903a6a6759e539d8282e335f47234861f3e641b..94b5460cded3ea0f679542862e9ee4ca1aefdcbb 100644 (file)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -528,6 +528,24 @@ static int ssb_prctl_set(struct task_struct *task, unsigned long ctrl)
        return 0;
 }
 
+int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
+                            unsigned long ctrl)
+{
+       switch (which) {
+       case PR_SPEC_STORE_BYPASS:
+               return ssb_prctl_set(task, ctrl);
+       default:
+               return -ENODEV;
+       }
+}
+
+#ifdef CONFIG_SECCOMP
+void arch_seccomp_spec_mitigate(struct task_struct *task)
+{
+       ssb_prctl_set(task, PR_SPEC_FORCE_DISABLE);
+}
+#endif
+
 static int ssb_prctl_get(struct task_struct *task)
 {
        switch (ssb_mode) {
@@ -546,17 +564,6 @@ static int ssb_prctl_get(struct task_struct *task)
        }
 }
 
-int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
-                            unsigned long ctrl)
-{
-       switch (which) {
-       case PR_SPEC_STORE_BYPASS:
-               return ssb_prctl_set(task, ctrl);
-       default:
-               return -ENODEV;
-       }
-}
-
 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which)
 {
        switch (which) {

diff --git a/include/linux/nospec.h b/include/linux/nospec.h
index 0963fad9aff4e2c13065025f256def09bf35457b..42076654dc12dbd6b599f0e26846f17ff4d4841a 100644 (file)
--- a/include/linux/nospec.h
+++ b/include/linux/nospec.h
@@ -13,5 +13,7 @@ struct task_struct;
 int arch_prctl_spec_ctrl_get(struct task_struct *task, unsigned long which);
 int arch_prctl_spec_ctrl_set(struct task_struct *task, unsigned long which,
                             unsigned long ctrl);
+/* Speculation control for seccomp enforced mitigation */
+void arch_seccomp_spec_mitigate(struct task_struct *task);
 
 #endif /* _LINUX_NOSPEC_H */

diff --git a/kernel/seccomp.c b/kernel/seccomp.c
index bb1cc737456eaf86014d2e9f395b188d75cba3bb..7dd608f6f23ccb3e42925a70bd77feac135dbb22 100644 (file)
--- a/kernel/seccomp.c
+++ b/kernel/seccomp.c
@@ -227,18 +227,7 @@ static inline bool seccomp_may_assign_mode(unsigned long seccomp_mode)
        return true;
 }
 
-/*
- * If a given speculation mitigation is opt-in (prctl()-controlled),
- * select it, by disabling speculation (enabling mitigation).
- */
-static inline void spec_mitigate(struct task_struct *task,
-                                unsigned long which)
-{
-       int state = arch_prctl_spec_ctrl_get(task, which);
-
-       if (state > 0 && (state & PR_SPEC_PRCTL))
-               arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
-}
+void __weak arch_seccomp_spec_mitigate(struct task_struct *task) { }
 
 static inline void seccomp_assign_mode(struct task_struct *task,
                                       unsigned long seccomp_mode,
@@ -254,7 +243,7 @@ static inline void seccomp_assign_mode(struct task_struct *task,
        smp_mb__before_atomic();
        /* Assume default seccomp processes want spec flaw mitigation. */
        if ((flags & SECCOMP_FILTER_FLAG_SPEC_ALLOW) == 0)
-               spec_mitigate(task, PR_SPEC_STORE_BYPASS);
+               arch_seccomp_spec_mitigate(task);
        set_tsk_thread_flag(task, TIF_SECCOMP);
 }