From: Matt Mackall
Date: Mon May 10 2004 - 18:24:45 EST
On Mon, May 10, 2004 at 03:15:54PM -0700, Andrew Morton wrote:
> Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
> > > Capabilities are broken and don't work. Nobody has a clue how to provide
> > > the required services with SELinux and nobody has any code and we need the
> > > feature *now* before vendors go shipping even more ghastly stuff.
> > The thing is special privilegues for a group don't fit into any of the
> > various privilegues schemes we have (capabilities, selinux, etc..),
> > it's really a horrible hack.
> It beats the alternatives which are floating about, which includes a sysctl
> which defeats CAP_SYS_MLOCK system-wide.
> > What happened to the patch rick promised
> > to make mlock an rlimit? This is the right approach and could be easily
> > extended to hugetlb pages.
> rlimits don't work for this. shm segments persist after process exit and
> aren't associated with a particular user.
The answer here is probably to make quotas work for shmfs, tmpfs,
hugetlbfs, etc. This shouldn't be too bad except for quotactl(2)
insists on having a block special device to manipulate quotas. Adding
an fquotactl(file descriptor, ...) should deal with that.
The mlock rlimits probably still make sense even once this is in place.
Matt Mackall : http://www.selenic.com : Linux development and consulting
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/