Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753815AbeAGM3Y (ORCPT + 1 other); Sun, 7 Jan 2018 07:29:24 -0500 Received: from imap.thunk.org ([74.207.234.97]:57922 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752886AbeAGM3W (ORCPT ); Sun, 7 Jan 2018 07:29:22 -0500 Date: Sun, 7 Jan 2018 07:29:18 -0500 From: Theodore Ts'o To: Avi Kivity Cc: Alan Cox , "linux-kernel@vger.kernel.org" Subject: Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs Message-ID: <20180107122918.GE2404@thunk.org> Mail-Followup-To: Theodore Ts'o , Avi Kivity , Alan Cox , "linux-kernel@vger.kernel.org" References: <20180106200232.67387c5a@alans-desktop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Sun, Jan 07, 2018 at 11:16:28AM +0200, Avi Kivity wrote: > I think capabilities will work just as well with cgroups. The container > manager will set CAP_PAYLOAD to payload containers; and if those run an init > system or a container manager themselves, they'll drop CAP_PAYLOAD for all > process/sub-containers but their payloads. The reason why cgroups are better is Spectre can be used to steal information from within the same privilege level --- e.g., you could use Javascript to steal a user's Coindesk credentials or Lastpass data, which is going to be *way* more lucrative than trying to mine cryptocurrency in the sly in a user's browser. :-) As a result, you probably want Spectre mitigations to be enabled in a root process --- which means capabilities aren't the right answer. Regards, - Ted