On Mon, Sep 16, 2019 at 07:09:06AM -0700, Christian Barcenas wrote: > > bpf() is currently the only exception to the above, ie. as far as I can tell > it is the only code that enforces RLIMIT_MEMLOCK but does not honor > CAP_IPC_LOCK.
Yes. bpf is not honoring CAP_IPC_LOCK comparing to other places in the kernel, but we cannot change this anymore. User space already using rlimit as an enforcement. bpf_rlimit.h hack we use in selftests is not a universal way of loading bpf progs. If we make such change root user will become unlimited and rlimit enforcement will break.
