> One is the SCHED_RESET_ON_FORK flag, which solves the "busy fork bomb"
> problem. AFAICS this removes the major problem with trusting RLIMIT_RTTIME.
Yes, it addresses the fork bomb problem. However, a thread-based attack (that is, a "busy clone bomb" for want of a better description) is not prevented by the SCHED_RESET_ON_FORK functionality (if I understand things correctly).