[GIT PULL] seccomp updates for v5.16-rc1

From: Kees Cook
Date: Mon Nov 01 2021 - 12:44:54 EST


Hi Linus,

Please pull these seccomp updates for v5.16-rc1. These are x86-specific,
but I carried these since they're also seccomp-specific. This flips
the prior conservative defaults for spec_store_bypass_disable and
spectre_v2_user from "seccomp" to "prctl", as enough time has passed
to allow system owners to have updated the defensive stances of their
various workloads, and it's long overdue to unpessimize seccomp threads.
Extensive rationale and details are in Andrea's main patch[1].

Thanks!

-Kees

[1] https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git/commit/?h=for-next/seccomp&id=2f46993d83ff4abb310ef7b4beced56ba96f0d9d

The following changes since commit e4e737bb5c170df6135a127739a9e6148ee3da82:

Linux 5.15-rc2 (2021-09-19 17:28:22 -0700)

are available in the Git repository at:

https://git.kernel.org/pub/scm/linux/kernel/git/kees/linux.git tags/seccomp-v5.16-rc1

for you to fetch changes up to d9bbdbf324cda23aa44873f505be77ed4b61d79c:

x86: deduplicate the spectre_v2_user documentation (2021-10-04 12:12:57 -0700)

----------------------------------------------------------------
seccomp updates for v5.16-rc1

- set spec_store_bypass_disable & spectre_v2_user to prctl (Andrea Arcangeli)

----------------------------------------------------------------
Andrea Arcangeli (2):
x86: change default to spec_store_bypass_disable=prctl spectre_v2_user=prctl
x86: deduplicate the spectre_v2_user documentation

Documentation/admin-guide/hw-vuln/spectre.rst | 61 +++----------------------
Documentation/admin-guide/kernel-parameters.txt | 5 +-
arch/x86/kernel/cpu/bugs.c | 4 +-
3 files changed, 10 insertions(+), 60 deletions(-)

--
Kees Cook