Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752774AbeAGJQg (ORCPT + 1 other); Sun, 7 Jan 2018 04:16:36 -0500 Received: from mail-wr0-f176.google.com ([209.85.128.176]:45797 "EHLO mail-wr0-f176.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752398AbeAGJQe (ORCPT ); Sun, 7 Jan 2018 04:16:34 -0500 X-Google-Smtp-Source: ACJfBovgUTa/xiB8+NnSNVJNr3p3qpOndlFjRR/j9RP+Nbft4wxwzXB//bz2XT4u3GLXIWX+ZIGmrw== Subject: Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs To: Alan Cox Cc: "linux-kernel@vger.kernel.org" References: <20180106200232.67387c5a@alans-desktop> From: Avi Kivity Organization: ScyllaDB Message-ID: Date: Sun, 7 Jan 2018 11:16:28 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.5.0 MIME-Version: 1.0 In-Reply-To: <20180106200232.67387c5a@alans-desktop> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On 01/06/2018 10:02 PM, Alan Cox wrote: >> I propose to create a new capability, CAP_PAYLOAD, that allows the >> system administrator to designate an application as the main workload in >> that system. Other processes (like sshd or monitoring daemons) exist to >> support it, and so it makes sense to protect the rest of the system from >> their being compromised. > Much more general would be to do this with cgroups both for group-group > trust and group-kernel trust levels. > I think capabilities will work just as well with cgroups. The container manager will set CAP_PAYLOAD to payload containers; and if those run an init system or a container manager themselves, they'll drop CAP_PAYLOAD for all process/sub-containers but their payloads.