Hello Hagen, On Thu, Jul 08, 2021 at 10:13:23PM +0200, Hagen Paul Pfeifer wrote: > * Linus Torvalds | 2021-07-08 11:38:51 [-0700]: > > Hello Mike, Linus > > >> This feature is off by default and should be explicitly enabled by a system > >> administrator. > >> > >> When it is enabled, a user cannot exceed RLIMIT_MEMLOCK. > > Just an idea/proposal: > > this feature could be granted based on capabilities (new or existing one, > hopefully not CAP_SYS_ADMIN). Capabilities would provide a very convenient, > simple and fine granular way to use this, at least from a user perspective. Or > do I forget something Mike? Our preference is to have secretmem available to everybody. As James nicely put it [1]: I don't think dividing the world into people who can and can't use secret memory would be useful since the design is to be usable for anyone who might have a secret to keep; it would become like the kvm group permissions: something which is theoretically an access control but which in practise is given to everyone on the system. [1] https://lore.kernel.org/lkml/73738cda43236b5ac2714e228af362b67a712f5d.camel@xxxxxxxxxxxxx/ -- Sincerely yours, Mike.
