On Wed, Dec 19, 2018 at 02:09:50PM -0500, Waiman Long wrote: > With the default SPEC_STORE_BYPASS_SECCOMP/SPEC_STORE_BYPASS_PRCTL mode, > the TIF_SSBD bit will be inherited when a new task is fork'ed or cloned. > > As only certain class of applications (like Java) requires disabling > speculative store bypass for security purpose, it may not make sense to > allow the TIF_SSBD bit to be inherited across execve() boundary where the > new application may not need SSBD at all and is probably not aware that > SSBD may have been turned on. This may cause an unnecessary performance > loss of up to 20% in some cases. > > The arch_setup_new_exec() function is updated to clear the TIF_SSBD > bit unless it has been force-disabled.
This makes it impossible to write a wrapper that turns this mode on for unmodified programs. Do you have a real use case where this behavior is a problem? -Andi
