Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs
From: Theodore Ts'o
Date: Sun Jan 07 2018 - 13:06:56 EST
On Sun, Jan 07, 2018 at 02:51:59PM +0200, Avi Kivity wrote:
>
> I don't see the connection. The browser wouldn't run with CAP_PAYLOAD set.
>
> In a desktop system, only init retains CAP_PAYLOAD.
>
> On a server that runs one application (and some supporting processes), only
> init and that one application have CAP_PAYLOAD (if the sysadmin makes it
> so).
In the classical (as defined by the withdrawn Posix draft spec)
capaibilities model, if you have a setuid root process it gets all the
capabilities, and capabilities are used to limit what privileges a
root process. Hence using strict capabilities, any setuid root
process would have CAP_PAYLOAD.
Linux has extensions which allow you to have capability bound which
capabilities that can be obtained by a process, so you _could_ make it
work, but it just seems like an bad fit, since it's not strictly
speaking a root-owned privilege. It's more like a configuration
setting, and so modulating it via cgroups attribute seems to make a
lot more sense --- it's certainly (IMHO) less confusing than trying to
ab(use) the capabilities system and its extensions in this fashion.
- Ted