diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/fs/hugetlbfs/inode.c x/fs/hugetlbfs/inode.c
--- x-ref/fs/hugetlbfs/inode.c	2004-04-04 06:47:29.123459728 +0200
+++ x/fs/hugetlbfs/inode.c	2004-04-04 06:50:04.808791960 +0200
@@ -707,7 +707,7 @@ struct file *hugetlb_zero_setup(size_t s
 	struct qstr quick_string;
 	char buf[16];
 
-	if (!capable(CAP_IPC_LOCK))
+	if (!can_do_mlock())
 		return ERR_PTR(-EPERM);
 
 	if (!is_hugepage_mem_enough(size))
diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/include/linux/sched.h x/include/linux/sched.h
--- x-ref/include/linux/sched.h	2004-04-04 06:47:29.508401208 +0200
+++ x/include/linux/sched.h	2004-04-04 06:50:04.810791656 +0200
@@ -690,6 +690,12 @@ static inline int capable(int cap)
 }
 #endif
 
+extern int sysctl_disable_cap_mlock;
+static inline int can_do_mlock(void)
+{
+	return likely(sysctl_disable_cap_mlock || capable(CAP_IPC_LOCK));
+}
+
 /*
  * Routines for handling mm_structs
  */
diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/include/linux/sysctl.h x/include/linux/sysctl.h
--- x-ref/include/linux/sysctl.h	2004-04-04 06:47:29.520399384 +0200
+++ x/include/linux/sysctl.h	2004-04-04 06:50:15.895106584 +0200
@@ -159,6 +159,7 @@ enum
 	VM_LOWER_ZONE_PROTECTION=20,/* Amount of protection of lower zones */
 	VM_MIN_FREE_KBYTES=21,	/* Minimum free kilobytes to maintain */
 	VM_MAX_MAP_COUNT=22,	/* int: Maximum number of mmaps/address-space */
+	VM_DISABLE_CAP_MLOCK=23,/* disable CAP_IPC_LOCK checking */
 };
 
 
diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/ipc/shm.c x/ipc/shm.c
--- x-ref/ipc/shm.c	2004-04-04 06:47:29.565392544 +0200
+++ x/ipc/shm.c	2004-04-04 06:50:04.815790896 +0200
@@ -505,7 +505,7 @@ asmlinkage long sys_shmctl (int shmid, i
 /* Allow superuser to lock segment in memory */
 /* Should the pages be faulted in here or leave it to user? */
 /* need to determine interaction with current->swappable */
-		if (!capable(CAP_IPC_LOCK)) {
+		if (!can_do_mlock()) {
 			err = -EPERM;
 			goto out;
 		}
diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/kernel/capability.c x/kernel/capability.c
--- x-ref/kernel/capability.c	2003-10-31 05:56:39.000000000 +0100
+++ x/kernel/capability.c	2004-04-04 06:50:04.816790744 +0200
@@ -14,6 +14,7 @@
 
 unsigned securebits = SECUREBITS_DEFAULT; /* systemwide security settings */
 kernel_cap_t cap_bset = CAP_INIT_EFF_SET;
+int sysctl_disable_cap_mlock = 0;
 
 EXPORT_SYMBOL(securebits);
 EXPORT_SYMBOL(cap_bset);
diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/kernel/sysctl.c x/kernel/sysctl.c
--- x-ref/kernel/sysctl.c	2004-04-04 06:47:29.585389504 +0200
+++ x/kernel/sysctl.c	2004-04-04 06:50:38.425681416 +0200
@@ -744,6 +744,14 @@ static ctl_table vm_table[] = {
 		.mode		= 0644,
 		.proc_handler	= &proc_dointvec
 	},
+	{
+		.ctl_name	= VM_DISABLE_CAP_MLOCK,
+		.procname	= "disable_cap_mlock",
+		.data		= &sysctl_disable_cap_mlock,
+		.maxlen		= sizeof(sysctl_disable_cap_mlock),
+		.mode		= 0644,
+		.proc_handler	= &proc_dointvec,
+	},
 	{ .ctl_name = 0 }
 };
 
diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/mm/mlock.c x/mm/mlock.c
--- x-ref/mm/mlock.c	2003-10-31 05:56:45.000000000 +0100
+++ x/mm/mlock.c	2004-04-04 06:50:04.821789984 +0200
@@ -57,7 +57,7 @@ static int do_mlock(unsigned long start,
 	struct vm_area_struct * vma, * next;
 	int error;
 
-	if (on && !capable(CAP_IPC_LOCK))
+	if (on && !can_do_mlock())
 		return -EPERM;
 	len = PAGE_ALIGN(len);
 	end = start + len;
@@ -139,7 +139,7 @@ static int do_mlockall(int flags)
 	unsigned int def_flags;
 	struct vm_area_struct * vma;
 
-	if (!capable(CAP_IPC_LOCK))
+	if (!can_do_mlock())
 		return -EPERM;
 
 	def_flags = 0;
diff -urNp --exclude CVS --exclude BitKeeper --exclude {arch} --exclude .arch-ids x-ref/mm/mmap.c x/mm/mmap.c
--- x-ref/mm/mmap.c	2004-04-04 06:47:29.601387072 +0200
+++ x/mm/mmap.c	2004-04-04 06:50:04.822789832 +0200
@@ -536,7 +536,7 @@ unsigned long do_mmap_pgoff(struct file 
 			mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
 
 	if (flags & MAP_LOCKED) {
-		if (!capable(CAP_IPC_LOCK))
+		if (!can_do_mlock())
 			return -EPERM;
 		vm_flags |= VM_LOCKED;
 	}