seccomp: Add filter flag to opt-out of SSB mitigation

commit 00a02d0c502a06d15e07b857f8ff921e3e402675 upstream If a seccomp user is not interested in Speculative Store Bypass mitigation by default, it can set the new SECCOMP_FILTER_FLAG_SPEC_ALLOW flag when adding filters. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Kees Cook <keescook@chromium.org> 2018-05-03 14:56:12 -0700
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2018-05-22 18:54:04 +0200
commit: 9939db75cd5b686ca43c4aa26e24d6b73ffa66e0 (patch)
tree: cf125c3fda15c426cc89962e4d85b32e00357acc /include/uapi/linux/seccomp.h
parent: d829fcceb8f532966bfb07fb67cb968374fcbbd2 (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
index 2a0bd9dd104d..9efc0e73d50b 100644
--- a/include/uapi/linux/seccomp.h
+++ b/include/uapi/linux/seccomp.h
@@ -17,8 +17,9 @@
 #define SECCOMP_GET_ACTION_AVAIL	2
 
 /* Valid flags for SECCOMP_SET_MODE_FILTER */
-#define SECCOMP_FILTER_FLAG_TSYNC	1
-#define SECCOMP_FILTER_FLAG_LOG		2
+#define SECCOMP_FILTER_FLAG_TSYNC	(1UL << 0)
+#define SECCOMP_FILTER_FLAG_LOG		(1UL << 1)
+#define SECCOMP_FILTER_FLAG_SPEC_ALLOW	(1UL << 2)
 
 /*
  * All BPF programs must return a 32-bit value.
author	Kees Cook <keescook@chromium.org>	2018-05-03 14:56:12 -0700
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-05-22 18:54:04 +0200
commit	9939db75cd5b686ca43c4aa26e24d6b73ffa66e0 (patch)
tree	cf125c3fda15c426cc89962e4d85b32e00357acc /include/uapi/linux/seccomp.h
parent	d829fcceb8f532966bfb07fb67cb968374fcbbd2 (diff)