diff -NurpP --minimal linux-2.6.9-rc4-vs1.9.3-rc2/Makefile linux-2.6.9-rc4-vs1.9.3-rc3/Makefile
--- linux-2.6.9-rc4-vs1.9.3-rc2/Makefile	2004-10-14 02:40:06.000000000 +0200
+++ linux-2.6.9-rc4-vs1.9.3-rc3/Makefile	2004-10-16 03:21:22.000000000 +0200
@@ -1,7 +1,7 @@
 VERSION = 2
 PATCHLEVEL = 6
 SUBLEVEL = 9
-EXTRAVERSION = -rc4-vs1.9.3-rc2
+EXTRAVERSION = -rc4-vs1.9.3-rc3
 NAME=Zonked Quokka
 
 # *DOCUMENTATION*
diff -NurpP --minimal linux-2.6.9-rc4-vs1.9.3-rc2/fs/namespace.c linux-2.6.9-rc4-vs1.9.3-rc3/fs/namespace.c
--- linux-2.6.9-rc4-vs1.9.3-rc2/fs/namespace.c	2004-10-11 18:43:53.000000000 +0200
+++ linux-2.6.9-rc4-vs1.9.3-rc3/fs/namespace.c	2004-10-16 03:02:09.000000000 +0200
@@ -702,7 +702,7 @@ static int do_remount(struct nameidata *
 	int err;
 	struct super_block * sb = nd->mnt->mnt_sb;
 
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_REMOUNT))
 		return -EPERM;
 
 	if (!check_mnt(nd->mnt))
@@ -711,6 +711,8 @@ static int do_remount(struct nameidata *
 	if (nd->dentry != nd->mnt->mnt_root)
 		return -EINVAL;
 
+	if (vx_ccaps(VXC_SECURE_REMOUNT))
+		mnt_flags |= MNT_NODEV;
 	down_write(&sb->s_umount);
 	err = do_remount_sb(sb, flags, data, 0);
 	if (!err)
@@ -726,7 +728,7 @@ static int do_move_mount(struct nameidat
 	struct nameidata old_nd, parent_nd;
 	struct vfsmount *p;
 	int err = 0;
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT))
 		return -EPERM;
 	if (!old_name || !*old_name)
 		return -EINVAL;
@@ -1107,7 +1109,7 @@ int copy_namespace(int flags, struct tas
 	if (!(flags & CLONE_NEWNS))
 		return 0;
 
-	if (!capable(CAP_SYS_ADMIN)) {
+	if (!capable(CAP_SYS_ADMIN) && !vx_ccaps(VXC_SECURE_MOUNT)) {
 		put_namespace(namespace);
 		return -EPERM;
 	}
diff -NurpP --minimal linux-2.6.9-rc4-vs1.9.3-rc2/include/linux/vserver/context.h linux-2.6.9-rc4-vs1.9.3-rc3/include/linux/vserver/context.h
--- linux-2.6.9-rc4-vs1.9.3-rc2/include/linux/vserver/context.h	2004-10-11 18:43:53.000000000 +0200
+++ linux-2.6.9-rc4-vs1.9.3-rc3/include/linux/vserver/context.h	2004-10-16 03:01:15.000000000 +0200
@@ -168,6 +168,8 @@ extern int vc_set_cflags(uint32_t, void 
 #define VXF_FORK_RSS		(1ULL<<48)
 #define VXF_PROLIFIC		(1ULL<<49)
 
+#define VXF_IGNEG_NICE		(1ULL<<52)
+
 #define VXF_ONE_TIME		(0x0003ULL<<32)
 
 #define VCMD_get_ccaps		VC_CMD(FLAGS, 3, 0)
@@ -191,6 +193,7 @@ extern int vc_set_ccaps(uint32_t, void _
 #define VXC_RAW_ICMP		0x00000100
 
 #define VXC_SECURE_MOUNT	0x00010000
+#define VXC_SECURE_REMOUNT	0x00020000
 
 
 #endif	/* _VX_CONTEXT_H */
diff -NurpP --minimal linux-2.6.9-rc4-vs1.9.3-rc2/kernel/sched.c linux-2.6.9-rc4-vs1.9.3-rc3/kernel/sched.c
--- linux-2.6.9-rc4-vs1.9.3-rc2/kernel/sched.c	2004-10-11 18:43:53.000000000 +0200
+++ linux-2.6.9-rc4-vs1.9.3-rc3/kernel/sched.c	2004-10-15 22:12:59.000000000 +0200
@@ -3194,6 +3194,8 @@ asmlinkage long sys_nice(int increment)
 	 * and we have a single winner.
 	 */
 	if (increment < 0) {
+		if (vx_flags(VXF_IGNEG_NICE, 0))
+			return 0;
 		if (!capable(CAP_SYS_NICE))
 			return -EPERM;
 		if (increment < -40)
diff -NurpP --minimal linux-2.6.9-rc4-vs1.9.3-rc2/kernel/sys.c linux-2.6.9-rc4-vs1.9.3-rc3/kernel/sys.c
--- linux-2.6.9-rc4-vs1.9.3-rc2/kernel/sys.c	2004-10-11 18:43:53.000000000 +0200
+++ linux-2.6.9-rc4-vs1.9.3-rc3/kernel/sys.c	2004-10-15 22:12:59.000000000 +0200
@@ -296,7 +296,10 @@ static int set_one_prio(struct task_stru
 		goto out;
 	}
 	if (niceval < task_nice(p) && !capable(CAP_SYS_NICE)) {
-		error = -EACCES;
+		if (vx_flags(VXF_IGNEG_NICE, 0))
+			error = 0;
+		else
+			error = -EACCES;
 		goto out;
 	}
 	no_nice = security_task_setnice(p, niceval);