Creates /proc/sys/vm/mlock_group.  The sysadmin places a group ID in here. 
Processes which belong to that group are able to perform mlock() operations
without restriction.

We want this as a stopgap because at present a racing remap_file_pages()
versus truncate can create unpageable memory, thus we need to make
remap_file_pages() available to only trusted users.



---

 25-akpm/Documentation/filesystems/proc.txt |    6 ++++++
 25-akpm/include/linux/sched.h              |    6 ++++++
 25-akpm/include/linux/sysctl.h             |    1 +
 25-akpm/ipc/shm.c                          |    2 +-
 25-akpm/kernel/capability.c                |    1 +
 25-akpm/kernel/sysctl.c                    |    8 ++++++++
 25-akpm/mm/mlock.c                         |    4 ++--
 25-akpm/mm/mmap.c                          |    2 +-
 8 files changed, 26 insertions(+), 4 deletions(-)

diff -puN include/linux/sched.h~mlock_group-sysctl include/linux/sched.h
--- 25/include/linux/sched.h~mlock_group-sysctl	2004-05-18 18:31:44.022164336 -0700
+++ 25-akpm/include/linux/sched.h	2004-05-18 18:31:44.036162208 -0700
@@ -860,6 +860,12 @@ static inline int capable(int cap)
 }
 #endif
 
+extern int sysctl_mlock_group;
+static inline int can_do_mlock(void)
+{	/* If someone bothered to call can_do_mlock() it's likely to be true */
+	return likely(capable(CAP_IPC_LOCK) || in_group_p(sysctl_mlock_group));
+}
+
 /*
  * Routines for handling mm_structs
  */
diff -puN include/linux/sysctl.h~mlock_group-sysctl include/linux/sysctl.h
--- 25/include/linux/sysctl.h~mlock_group-sysctl	2004-05-18 18:31:44.023164184 -0700
+++ 25-akpm/include/linux/sysctl.h	2004-05-18 18:31:44.037162056 -0700
@@ -164,6 +164,7 @@ enum
 	VM_LAPTOP_MODE=23,	/* vm laptop mode */
 	VM_BLOCK_DUMP=24,	/* block dump mode */
 	VM_HUGETLB_GROUP=25,	/* permitted hugetlb group */
+	VM_MLOCK_GROUP=26,	/* permitted mlock group */
 };
 
 
diff -puN ipc/shm.c~mlock_group-sysctl ipc/shm.c
--- 25/ipc/shm.c~mlock_group-sysctl	2004-05-18 18:31:44.025163880 -0700
+++ 25-akpm/ipc/shm.c	2004-05-18 18:31:44.037162056 -0700
@@ -507,7 +507,7 @@ asmlinkage long sys_shmctl (int shmid, i
 /* Allow superuser to lock segment in memory */
 /* Should the pages be faulted in here or leave it to user? */
 /* need to determine interaction with current->swappable */
-		if (!capable(CAP_IPC_LOCK)) {
+		if (!can_do_mlock()) {
 			err = -EPERM;
 			goto out;
 		}
diff -puN kernel/capability.c~mlock_group-sysctl kernel/capability.c
--- 25/kernel/capability.c~mlock_group-sysctl	2004-05-18 18:31:44.026163728 -0700
+++ 25-akpm/kernel/capability.c	2004-05-18 18:31:44.038161904 -0700
@@ -14,6 +14,7 @@
 
 unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
 kernel_cap_t cap_bset = CAP_INIT_EFF_SET;
+int sysctl_mlock_group;
 
 EXPORT_SYMBOL(securebits);
 EXPORT_SYMBOL(cap_bset);
diff -puN kernel/sysctl.c~mlock_group-sysctl kernel/sysctl.c
--- 25/kernel/sysctl.c~mlock_group-sysctl	2004-05-18 18:31:44.028163424 -0700
+++ 25-akpm/kernel/sysctl.c	2004-05-18 18:31:44.039161752 -0700
@@ -795,6 +795,14 @@ static ctl_table vm_table[] = {
 		.strategy	= &sysctl_intvec,
 		.extra1		= &zero,
 	},
+	{
+		.ctl_name	= VM_MLOCK_GROUP,
+		.procname	= "mlock_group",
+		.data		= &sysctl_mlock_group,
+		.maxlen		= sizeof(sysctl_mlock_group),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec,
+	},
 	{ .ctl_name = 0 }
 };
 
diff -puN mm/mlock.c~mlock_group-sysctl mm/mlock.c
--- 25/mm/mlock.c~mlock_group-sysctl	2004-05-18 18:31:44.029163272 -0700
+++ 25-akpm/mm/mlock.c	2004-05-18 18:31:44.040161600 -0700
@@ -60,7 +60,7 @@ static int do_mlock(unsigned long start,
 	struct vm_area_struct * vma, * next;
 	int error;
 
-	if (on && !capable(CAP_IPC_LOCK))
+	if (on && !can_do_mlock())
 		return -EPERM;
 	len = PAGE_ALIGN(len);
 	end = start + len;
@@ -142,7 +142,7 @@ static int do_mlockall(int flags)
 	unsigned int def_flags;
 	struct vm_area_struct * vma;
 
-	if (!capable(CAP_IPC_LOCK))
+	if (!can_do_mlock())
 		return -EPERM;
 
 	def_flags = 0;
diff -puN mm/mmap.c~mlock_group-sysctl mm/mmap.c
--- 25/mm/mmap.c~mlock_group-sysctl	2004-05-18 18:31:44.030163120 -0700
+++ 25-akpm/mm/mmap.c	2004-05-18 18:31:44.041161448 -0700
@@ -766,7 +766,7 @@ unsigned long do_mmap_pgoff(struct file 
 			mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
 
 	if (flags & MAP_LOCKED) {
-		if (!capable(CAP_IPC_LOCK))
+		if (!can_do_mlock())
 			return -EPERM;
 		vm_flags |= VM_LOCKED;
 	}
diff -puN Documentation/filesystems/proc.txt~mlock_group-sysctl Documentation/filesystems/proc.txt
--- 25/Documentation/filesystems/proc.txt~mlock_group-sysctl	2004-05-18 18:31:44.032162816 -0700
+++ 25-akpm/Documentation/filesystems/proc.txt	2004-05-18 18:31:44.043161144 -0700
@@ -1216,6 +1216,12 @@ nr_hugepages configures number of hugetl
 hugetlb_shm_group contains group id that is allowed to create SysV shared
 memory segment using hugetlb page.
 
+mlock_group
+-----------
+
+Specifies a group ID.  Users who belong to this supplementary group are able
+to use mlock() without restrictions.
+
 2.5 /proc/sys/dev - Device specific parameters
 ----------------------------------------------
 

_