Max CPU time per process is already supported and has been for a long time.
See man setrlimit, and note RLIMIT_CPU. This support is in the kernel,
software support is also needed, and is forthcoming as a config file with
the Shadow Password Suite.
Max % cpu time would be a very useful thing to have, and in theory not
too hard to do. sched.c would have to be modified however and performance
might drop a little with the extra checks involved.
Other ideas for 2.1:
o Allow user setting of permissions of files within /proc. (I was working
on this ages ago).
o Better process accounting.
o System call auditing (for really security paranoid sites).
Chris.