seccomp: Use PR_SPEC_FORCE_DISABLE
authorThomas Gleixner <tglx@linutronix.de>
Fri, 4 May 2018 07:40:03 +0000 (09:40 +0200)
committerThomas Gleixner <tglx@linutronix.de>
Fri, 4 May 2018 22:51:43 +0000 (00:51 +0200)
Use PR_SPEC_FORCE_DISABLE in seccomp() because seccomp does not allow to
widen restrictions.

Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
kernel/seccomp.c

index 9f34533046aa9cc80305ed62a4f9c7f6d4ac93c5..2c819d65e15f8a9b26a906b378b5900c004571a0 100644 (file)
@@ -239,7 +239,7 @@ static inline void spec_mitigate(struct task_struct *task,
        int state = arch_prctl_spec_ctrl_get(task, which);
 
        if (state > 0 && (state & PR_SPEC_PRCTL))
-               arch_prctl_spec_ctrl_set(task, which, PR_SPEC_DISABLE);
+               arch_prctl_spec_ctrl_set(task, which, PR_SPEC_FORCE_DISABLE);
 }
 
 static inline void seccomp_assign_mode(struct task_struct *task,