> I propose to create a new capability, CAP_PAYLOAD, that allows the > system administrator to designate an application as the main workload in > that system. Other processes (like sshd or monitoring daemons) exist to > support it, and so it makes sense to protect the rest of the system from > their being compromised.
Much more general would be to do this with cgroups both for group-group trust and group-kernel trust levels. Alan
