MDEV-9095 - [PATCH] systemd capability for --memlock

Adjust systemd files to enable CAP_IPC_LOCK to allow rootless mlockall
(triggered by memlock option).

This is amended version of a patch originally submitted by Daniel Black.

sql/mysqld.cc

@@ -5404,25 +5404,33 @@ static int init_server_components()
     (void) mi_log(1);
 
 #if defined(HAVE_MLOCKALL) && defined(MCL_CURRENT) && !defined(EMBEDDED_LIBRARY)
-  if (locked_in_memory && !getuid())
+  if (locked_in_memory)
   {
+    int error;
+    if (user_info)
+    {
+      DBUG_ASSERT(!getuid());
       if (setreuid((uid_t) -1, 0) == -1)
-    {                        // this should never happen
+      {
         sql_perror("setreuid");
         unireg_abort(1);
       }
-    if (mlockall(MCL_CURRENT))
+      error= mlockall(MCL_CURRENT);
+      set_user(mysqld_user, user_info);
+    }
+    else
+      error= mlockall(MCL_CURRENT);
+
+    if (error)
     {
       if (global_system_variables.log_warnings)
 	sql_print_warning("Failed to lock memory. Errno: %d\n",errno);
       locked_in_memory= 0;
     }
-    if (user_info)
-      set_user(mysqld_user, user_info);
   }
-  else
-#endif
+#else
   locked_in_memory= 0;
+#endif
 
   ft_init_stopwords();
 

support-files/mariadb.service.in

@@ -42,6 +42,9 @@ PrivateNetwork=false
 User=mysql
 Group=mysql
 
+# To allow memlock to be used as non-root user if set in configuration
+CapabilityBoundingSet=CAP_IPC_LOCK
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true
 

support-files/mariadb@.service.in

@@ -49,6 +49,9 @@ PrivateNetwork=false
 User=mysql
 Group=mysql
 
+# To allow memlock to be used as non-root user if set in configuration
+CapabilityBoundingSet=CAP_IPC_LOCK
+
 # Execute pre and post scripts as root, otherwise it does it as User=
 PermissionsStartOnly=true