Re: proposal to refine capability checks when _rlimit_overlimit() is true

[孟敬姿]

I understand change the code here may affect the world outside the
kernel. And there might be useability issues when applications in 
userspace are not updated. But the good news is that the 
modification's impact on userspace is relatively contained. 
Here's a breakdown: 

1. Usage statistics for the latest version of Ubuntu show that 
   applications have limited use of capability. 
        (1) Under the default configuration, only 28 processes in 
            Ubuntu 22.04 LTS were found to have capability, with 15 
            running as root and unaffected by the proposed change. 
        (2) Among the 59k packages on Ubuntu 21.10, only 29 programs 
            were configured with capability.[1]

2. For programs that use capability, it is not complicated for developers
   or sysadmin to reconfigure it. Programs using capability can be 
   categorized into two types: 
        (1) those started by root have full capability by default, which 
            can be changed with the prctl system call.
        (2) and those with capabilities configured directly on the 
            executable file can be modified by secap command directly.

So the key to using capability is to choose the least privilege that 
will accomplish the function. This can't be done without the kernel's 
clear delineation of privileges.

This change will make it clear that if you only need to cross system 
limits, then sys_resource is the capability you need. This may cause 
some processes that are using sys_admin to bypass limits to fail, but 
from a least privilege point of view, it may be good to reduce the 
unnecessary use of sys_admin.

Best regards,
Jingzi

[1] Hasan, Md Mehedi, Seyedhamed Ghavamnia, and Michalis Polychronakis. 
    "Decap: Deprivileging programs by reducing their capabilities." 
    Proceedings of the 25th International Symposium on Research in Attacks,
    Intrusions and Defenses. 2022.