diff options
| author | Kees Cook <keescook@chromium.org> | 2018-05-03 14:56:12 -0700 |
|---|---|---|
| committer | Thomas Gleixner <tglx@linutronix.de> | 2018-05-05 00:51:44 +0200 |
| commit | 00a02d0c502a06d15e07b857f8ff921e3e402675 (patch) | |
| tree | d1f2bd8ff6733e43840a199d11e455790d7c21c8 /include | |
| parent | b849a812f7eb92e96d1c8239b06581b2cfd8b275 (diff) | |
| download | linux-stable-00a02d0c502a06d15e07b857f8ff921e3e402675.tar.gz linux-stable-00a02d0c502a06d15e07b857f8ff921e3e402675.tar.bz2 linux-stable-00a02d0c502a06d15e07b857f8ff921e3e402675.zip | |
seccomp: Add filter flag to opt-out of SSB mitigation
If a seccomp user is not interested in Speculative Store Bypass mitigation
by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when
adding filters.
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Diffstat (limited to 'include')
| -rw-r--r-- | include/linux/seccomp.h | 5 | ||||
| -rw-r--r-- | include/uapi/linux/seccomp.h | 5 |
2 files changed, 6 insertions, 4 deletions
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index c723a5c4e3ff..e5320f6c8654 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -4,8 +4,9 @@ #include <uapi/linux/seccomp.h> -#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ - SECCOMP_FILTER_FLAG_LOG) +#define SECCOMP_FILTER_FLAG_MASK (SECCOMP_FILTER_FLAG_TSYNC | \ + SECCOMP_FILTER_FLAG_LOG | \ + SECCOMP_FILTER_FLAG_SPEC_ALLOW) #ifdef CONFIG_SECCOMP diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index 2a0bd9dd104d..9efc0e73d50b 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -17,8 +17,9 @@ #define SECCOMP_GET_ACTION_AVAIL 2 /* Valid flags for SECCOMP_SET_MODE_FILTER */ -#define SECCOMP_FILTER_FLAG_TSYNC 1 -#define SECCOMP_FILTER_FLAG_LOG 2 +#define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) +#define SECCOMP_FILTER_FLAG_LOG (1UL << 1) +#define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) /* * All BPF programs must return a 32-bit value. |