Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754253AbeAGR0n (ORCPT + 1 other); Sun, 7 Jan 2018 12:26:43 -0500 Received: from wtarreau.pck.nerim.net ([62.212.114.60]:38702 "EHLO 1wt.eu" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754146AbeAGR0l (ORCPT ); Sun, 7 Jan 2018 12:26:41 -0500 Date: Sun, 7 Jan 2018 18:26:37 +0100 From: Willy Tarreau To: Alan Cox Cc: Avi Kivity , "linux-kernel@vger.kernel.org" Subject: Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs Message-ID: <20180107172637.GA9772@1wt.eu> References: <20180106202433.GB9075@1wt.eu> <20180107143628.3cd15813@alans-desktop> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180107143628.3cd15813@alans-desktop> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Sun, Jan 07, 2018 at 02:36:28PM +0000, Alan Cox wrote: > What I struggle to see is why I'd want to nominate specific processes for > this except in very special cases (like your packet generator). Even then > it would make me nervous as the packet generator if that trusted is > effectively CAP_SYS_RAWIO or close to it and can steal any ssh keys or > similar on that guest. Sure but we can also say that a process with CAP_SYS_RAWIO can manipulate the hardware using iopl() and reprogram memory controllers, PCI bridges and various stuff to have direct access wherever it wants. That's why I thought that grouping the risks reduces the attack surface in the end. > I still prefer cgroups because once you include the branch predictions it > suddenly becomes very interesting to be able to say 'this pile of stuff > trusts itself' and avoid user/user protection costs while keeping > user/kernel. To be honnest, I don't know what it would imply in terms of management (for the admin). Also, I'm really focused on the extra work to add to syscalls, which should remain very minimalistic. Checking a flag on the current task sounds reasonable. I don't know how far we might have to go with cgroups. I remember a very long time ago you once todl me "we have fast syscalls", I'd like this statement to remain true for those who continue to rely on this property ;-) Willy