Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs
From: Avi Kivity
Date: Sun Jan 07 2018 - 04:16:40 EST
On 01/06/2018 10:02 PM, Alan Cox wrote:
I propose to create a new capability, CAP_PAYLOAD, that allows the
system administrator to designate an application as the main workload in
that system. Other processes (like sshd or monitoring daemons) exist to
support it, and so it makes sense to protect the rest of the system from
their being compromised.
Much more general would be to do this with cgroups both for group-group
trust and group-kernel trust levels.
I think capabilities will work just as well with cgroups. The container
manager will set CAP_PAYLOAD to payload containers; and if those run an
init system or a container manager themselves, they'll drop CAP_PAYLOAD
for all process/sub-containers but their payloads.