Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

[Theodore Ts'o]

On Sun, Jan 07, 2018 at 02:51:59PM +0200, Avi Kivity wrote:
> 
> I don't see the connection. The browser wouldn't run with CAP_PAYLOAD set.
> 
> In a desktop system, only init retains CAP_PAYLOAD.
> 
> On a server that runs one application (and some supporting processes), only
> init and that one application have CAP_PAYLOAD (if the sysadmin makes it
> so).

In the classical (as defined by the withdrawn Posix draft spec)
capaibilities model, if you have a setuid root process it gets all the
capabilities, and capabilities are used to limit what privileges a
root process.  Hence using strict capabilities, any setuid root
process would have CAP_PAYLOAD.

Linux has extensions which allow you to have capability bound which
capabilities that can be obtained by a process, so you _could_ make it
work, but it just seems like an bad fit, since it's not strictly
speaking a root-owned privilege.  It's more like a configuration
setting, and so modulating it via cgroups attribute seems to make a
lot more sense --- it's certainly (IMHO) less confusing than trying to
ab(use) the capabilities system and its extensions in this fashion.

	    		 	    	- Ted