Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs

From: Alan Cox
Date: Sat Jan 06 2018 - 15:02:39 EST


> I propose to create a new capability, CAP_PAYLOAD, that allows the
> system administrator to designate an application as the main workload in
> that system. Other processes (like sshd or monitoring daemons) exist to
> support it, and so it makes sense to protect the rest of the system from
> their being compromised.

Much more general would be to do this with cgroups both for group-group
trust and group-kernel trust levels.

Alan