Re: 2.6.6-mm1

From: Matt Mackall
Date: Mon May 10 2004 - 18:24:45 EST

On Mon, May 10, 2004 at 03:15:54PM -0700, Andrew Morton wrote:
> Christoph Hellwig <hch@xxxxxxxxxxxxx> wrote:
> >
> > > Capabilities are broken and don't work. Nobody has a clue how to provide
> > > the required services with SELinux and nobody has any code and we need the
> > > feature *now* before vendors go shipping even more ghastly stuff.
> >
> > The thing is special privilegues for a group don't fit into any of the
> > various privilegues schemes we have (capabilities, selinux, etc..),
> > it's really a horrible hack.
> It beats the alternatives which are floating about, which includes a sysctl
> which defeats CAP_SYS_MLOCK system-wide.
> > What happened to the patch rick promised
> > to make mlock an rlimit? This is the right approach and could be easily
> > extended to hugetlb pages.
> rlimits don't work for this. shm segments persist after process exit and
> aren't associated with a particular user.

The answer here is probably to make quotas work for shmfs, tmpfs,
hugetlbfs, etc. This shouldn't be too bad except for quotactl(2)
insists on having a block special device to manipulate quotas. Adding
an fquotactl(file descriptor, ...) should deal with that.

The mlock rlimits probably still make sense even once this is in place.

Matt Mackall : : Linux development and consulting
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at