seccomp: Use PR_SPEC_FORCE_DISABLE

KAGA-KOKO · KAGA-KOKO · commit b849a812f7eb · 2018-05-05T00:51:43.000+02:00
Use PR_SPEC_FORCE_DISABLE in seccomp() because seccomp does not allow to
widen restrictions.

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
@@ -239,7 +239,7 @@ static inline void spec_mitigate(struct task_struct *task,
 	int state = arch_prctl_spec_ctrl_get(task, which);
 
 	if (state > 0 && (state & PR_SPEC_PRCTL))
-		arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE);
+		arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
 }
 
 static inline void seccomp_assign_mode(struct task_struct *task,

Original file line number	Diff line number	Diff line change
`@@ -239,7 +239,7 @@ static inline void spec_mitigate(struct task_struct *task,`
`239`	`239`	`int state = arch_prctl_spec_ctrl_get(task, which);`
`240`	`240`
`241`	`241`	`if (state > 0 && (state & PR_SPEC_PRCTL))`
`242`		`- arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE);`
	`242`	`+ arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);`
`243`	`243`	`}`
`244`	`244`
`245`	`245`	`static inline void seccomp_assign_mode(struct task_struct *task,`