| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 7 Jan 2018 13:06:43 -0500
From: Theodore Ts'o <tytso@....edu>
To: Avi Kivity <avi@...lladb.com>
Cc: Alan Cox <gnomes@...rguk.ukuu.org.uk>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: Proposal: CAP_PAYLOAD to reduce Meltdown and Spectre mitigation
costs
On Sun, Jan 07, 2018 at 02:51:59PM +0200, Avi Kivity wrote:
>
> I don't see the connection. The browser wouldn't run with CAP_PAYLOAD set.
>
> In a desktop system, only init retains CAP_PAYLOAD.
>
> On a server that runs one application (and some supporting processes), only
> init and that one application have CAP_PAYLOAD (if the sysadmin makes it
> so).
In the classical (as defined by the withdrawn Posix draft spec)
capaibilities model, if you have a setuid root process it gets all the
capabilities, and capabilities are used to limit what privileges a
root process. Hence using strict capabilities, any setuid root
process would have CAP_PAYLOAD.
Linux has extensions which allow you to have capability bound which
capabilities that can be obtained by a process, so you _could_ make it
work, but it just seems like an bad fit, since it's not strictly
speaking a root-owned privilege. It's more like a configuration
setting, and so modulating it via cgroups attribute seems to make a
lot more sense --- it's certainly (IMHO) less confusing than trying to
ab(use) the capabilities system and its extensions in this fashion.
- Ted
Powered by blists - more mailing lists