From: Martin Hicks Add a capability check to sys_set_zone_reclaim(). This syscall is not something that should be available to a user. Signed-off-by: Martin Hicks Signed-off-by: Andrew Morton --- include/linux/capability.h | 1 + mm/vmscan.c | 3 +++ 2 files changed, 4 insertions(+) diff -puN include/linux/capability.h~vm-add-capabilites-check-to-set_zone_reclaim include/linux/capability.h --- devel/include/linux/capability.h~vm-add-capabilites-check-to-set_zone_reclaim 2005-07-27 22:33:15.000000000 -0700 +++ devel-akpm/include/linux/capability.h 2005-07-27 22:33:15.000000000 -0700 @@ -233,6 +233,7 @@ typedef __u32 kernel_cap_t; /* Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands */ /* Allow setting encryption key on loopback filesystem */ +/* Allow setting zone reclaim policy */ #define CAP_SYS_ADMIN 21 diff -puN mm/vmscan.c~vm-add-capabilites-check-to-set_zone_reclaim mm/vmscan.c --- devel/mm/vmscan.c~vm-add-capabilites-check-to-set_zone_reclaim 2005-07-27 22:33:15.000000000 -0700 +++ devel-akpm/mm/vmscan.c 2005-07-27 22:33:15.000000000 -0700 @@ -1375,6 +1375,9 @@ asmlinkage long sys_set_zone_reclaim(uns struct zone *z; int i; + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + if (node >= MAX_NUMNODES || !node_online(node)) return -EINVAL; _