On Wed, Nov 21, 2018 at 09:14:54PM +0100, Thomas Gleixner wrote:
> From: Jiri Kosina <jkos...@suse.cz>
>
> If 'prctl' mode of app2app protection from spectre v2 is selected on the
> kernel command-line, STIBP and IBPB are applied on tasks which restrict
> their indirect branch speculation via prctl.
>
> SECCOMP enables the SSBD mitigation for sandboxed tasks already, so it
> makes sense to prevent spectre v2 application to application attacks as
> well.
Will need to add this chunk.
Thanks.
Tim
diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c
index c4d010d..d070e84 100644
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -275,6 +275,7 @@ enum spectre_v2_app2app_cmd {
{ "off", SPECTRE_V2_APP2APP_CMD_NONE, false },
{ "on", SPECTRE_V2_APP2APP_CMD_FORCE, true },
{ "prctl", SPECTRE_V2_APP2APP_CMD_PRCTL, false },
+ { "seccomp", SPECTRE_V2_APP2APP_CMD_SECCOMP, false },
};
static void __init spec_v2_app_print_cond(const char *reason, bool secure)
