Add --allow-speculation option to disable IBPB/STIBP mitigation

contrib/completions/bash/runc

@@ -457,6 +457,7 @@ _runc_run() {
  --no-subreaper
  --no-pivot
  --no-new-keyring
+ --allow-speculation
  "
 
  local options_with_args="
@@ -563,6 +564,7 @@ _runc_create() {
  --help
  --no-pivot
  --no-new-keyring
+ --allow-speculation
  "
 
  local options_with_args="

create.go

@@ -50,6 +50,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See
  Name: "preserve-fds",
  Usage: "Pass N additional file descriptors to the container (stdio + $LISTEN_FDS + N in total)",
  },
+ cli.BoolFlag{
+ Name: "allow-speculation",
+ Usage: "disable spectre mitigations",
+ },
  },
  Action: func(context *cli.Context) error {
  if err := checkArgs(context, 1, exactArgs); err != nil {

libcontainer/configs/config.go

@@ -85,6 +85,9 @@ type Config struct {
  // This is a common option when the container is running in ramdisk
  NoPivotRoot bool `json:"no_pivot_root"`
 
+ // AllowSpeculation will disable IBPB/STIBP mitigation.
+ AllowSpeculation bool `json:"allow_speculation"`
+
  // ParentDeathSignal specifies the signal that is sent to the container's process in the case
  // that the parent process dies.
  ParentDeathSignal int `json:"parent_death_signal"`

libcontainer/init_linux.go

@@ -55,6 +55,7 @@ type initConfig struct {
  ProcessLabel string `json:"process_label"`
  AppArmorProfile string `json:"apparmor_profile"`
  NoNewPrivileges bool `json:"no_new_privileges"`
+ AllowSpeculation bool `json:"allow_speculation"`
  User string `json:"user"`
  AdditionalGroups []string `json:"additional_groups"`
  Config *configs.Config `json:"config"`

libcontainer/specconv/spec_linux.go

@@ -197,6 +197,7 @@ type CreateOpts struct {
  UseSystemdCgroup bool
  NoPivotRoot bool
  NoNewKeyring bool
+ AllowSpeculation bool
  Spec *specs.Spec
  RootlessEUID bool
  RootlessCgroups bool
@@ -227,14 +228,15 @@ func CreateLibcontainerConfig(opts *CreateOpts) (*configs.Config, error) {
  labels = append(labels, fmt.Sprintf("%s=%s", k, v))
  }
  config := &configs.Config{
- Rootfs: rootfsPath,
- NoPivotRoot: opts.NoPivotRoot,
- Readonlyfs: spec.Root.Readonly,
- Hostname: spec.Hostname,
- Labels: append(labels, fmt.Sprintf("bundle=%s", cwd)),
- NoNewKeyring: opts.NoNewKeyring,
- RootlessEUID: opts.RootlessEUID,
- RootlessCgroups: opts.RootlessCgroups,
+ Rootfs: rootfsPath,
+ NoPivotRoot: opts.NoPivotRoot,
+ AllowSpeculation: opts.AllowSpeculation,
+ Readonlyfs: spec.Root.Readonly,
+ Hostname: spec.Hostname,
+ Labels: append(labels, fmt.Sprintf("bundle=%s", cwd)),
+ NoNewKeyring: opts.NoNewKeyring,
+ RootlessEUID: opts.RootlessEUID,
+ RootlessCgroups: opts.RootlessCgroups,
  }
 
  exists := false

libcontainer/standard_init_linux.go

@@ -207,6 +207,11 @@ func (l *linuxStandardInit) Init() error {
  return newSystemErrorWithCause(err, "init seccomp")
  }
  }
+ if l.config.Config.AllowSpeculation {
+ if err := unix.Prctl(unix.PR_SET_SPECULATION_CTRL, unix.PR_SPEC_INDIRECT_BRANCH, unix.PR_SPEC_ENABLE, 0, 0); err != nil {
+ return errors.Wrap(err, "disable IBPB/STIBP mitigation")
+ }
+ }
  if err := unix.Exec(name, l.config.Args[0:], os.Environ()); err != nil {
  return newSystemErrorWithCause(err, "exec user process")
  }

man/runc-create.8.md

@@ -27,3 +27,4 @@ command(s) that get executed on start, edit the args parameter of the spec. See
  --no-pivot do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk
  --no-new-keyring do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key
  --preserve-fds value Pass N additional file descriptors to the container (stdio + $LISTEN_FDS + N in total) (default: 0)
+ --allow-speculation disable spectre mitigations

man/runc-run.8.md

@@ -29,3 +29,4 @@ command(s) that get executed on start, edit the args parameter of the spec. See
  --no-pivot do not use pivot root to jail process inside rootfs. This should be used whenever the rootfs is on top of a ramdisk
  --no-new-keyring do not create a new session keyring for the container. This will cause the container to inherit the calling processes session key
  --preserve-fds value Pass N additional file descriptors to the container (stdio + $LISTEN_FDS + N in total) (default: 0)
+ --allow-speculation disable spectre mitigations

run.go

@@ -61,6 +61,10 @@ command(s) that get executed on start, edit the args parameter of the spec. See
  Name: "preserve-fds",
  Usage: "Pass N additional file descriptors to the container (stdio + $LISTEN_FDS + N in total)",
  },
+ cli.BoolFlag{
+ Name: "allow-speculation",
+ Usage: "disable spectre mitigations",
+ },
  },
  Action: func(context *cli.Context) error {
  if err := checkArgs(context, 1, exactArgs); err != nil {

utils_linux.go

@@ -236,6 +236,7 @@ func createContainer(context *cli.Context, id string, spec *specs.Spec) (libcont
  UseSystemdCgroup: context.GlobalBool("systemd-cgroup"),
  NoPivotRoot: context.Bool("no-pivot"),
  NoNewKeyring: context.Bool("no-new-keyring"),
+ AllowSpeculation: context.Bool("allow-speculation"),
  Spec: spec,
  RootlessEUID: os.Geteuid() != 0,
  RootlessCgroups: rootlessCg,