Hello.
How about a sysctl that does "for the love of kbaek, don't ever kill these processes when OOM. If nothing else can be killed, I'd rather you panic"?
Examples for this list would be /usr/bin/vlock and /usr/X11R6/bin/xlock. I just got a very uncomfortable surprise when found my box unlocked thanks to this.
After playing around a bit, I made the patch below, but it's almost completely untested. I'm not even sure I take the binaries name from the right place. And I don't know if the locking can race. If it's too ugly then it'd be great if someone implemented it the right way. (iow: huge fucking disclaimer)
echo "/usr/bin/vlock /usr/X11R6/bin/xlock" > /proc/sys/vm/oom_pardon