Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754396AbeAGSGu (ORCPT + 1 other); Sun, 7 Jan 2018 13:06:50 -0500 Received: from imap.thunk.org ([74.207.234.97]:60220 "EHLO imap.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754365AbeAGSGr (ORCPT ); Sun, 7 Jan 2018 13:06:47 -0500 Date: Sun, 7 Jan 2018 13:06:43 -0500 From: Theodore Ts'o To: Avi Kivity Cc: Alan Cox , "linux-kernel@vger.kernel.org" Subject: Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation costs Message-ID: <20180107180643.GG2404@thunk.org> Mail-Followup-To: Theodore Ts'o , Avi Kivity , Alan Cox , "linux-kernel@vger.kernel.org" References: <20180106200232.67387c5a@alans-desktop> <20180107122918.GE2404@thunk.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.2 (2017-12-15) X-SA-Exim-Connect-IP: X-SA-Exim-Mail-From: tytso@thunk.org X-SA-Exim-Scanned: No (on imap.thunk.org); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: On Sun, Jan 07, 2018 at 02:51:59PM +0200, Avi Kivity wrote: > > I don't see the connection. The browser wouldn't run with CAP_PAYLOAD set. > > In a desktop system, only init retains CAP_PAYLOAD. > > On a server that runs one application (and some supporting processes), only > init and that one application have CAP_PAYLOAD (if the sysadmin makes it > so). In the classical (as defined by the withdrawn Posix draft spec) capaibilities model, if you have a setuid root process it gets all the capabilities, and capabilities are used to limit what privileges a root process. Hence using strict capabilities, any setuid root process would have CAP_PAYLOAD. Linux has extensions which allow you to have capability bound which capabilities that can be obtained by a process, so you _could_ make it work, but it just seems like an bad fit, since it's not strictly speaking a root-owned privilege. It's more like a configuration setting, and so modulating it via cgroups attribute seems to make a lot more sense --- it's certainly (IMHO) less confusing than trying to ab(use) the capabilities system and its extensions in this fashion. - Ted