keys: make the keyring quotas controllable through /proc/sys (0b77f5bf) · Commits · 戴 / test

Documentation/keys.txt

+23 −1

Original line number	Diff line number	Diff line
		@@ -170,7 +170,8 @@ The key service provides a number of features besides keys:
		amount of description and payload space that can be consumed.

		The user can view information on this and other statistics through procfs
		files.
		files. The root user may also alter the quota limits through sysctl files
		(see the section "New procfs files").

		Process-specific and thread-specific keyrings are not counted towards a
		user's quota.
		@@ -329,6 +330,27 @@ about the status of the key service:
		<bytes>/<max> Key size quota


		Four new sysctl files have been added also for the purpose of controlling the
		quota limits on keys:

		(*) /proc/sys/kernel/keys/root_maxkeys
		/proc/sys/kernel/keys/root_maxbytes

		These files hold the maximum number of keys that root may have and the
		maximum total number of bytes of data that root may have stored in those
		keys.

		(*) /proc/sys/kernel/keys/maxkeys
		/proc/sys/kernel/keys/maxbytes

		These files hold the maximum number of keys that each non-root user may
		have and the maximum total number of bytes of data that each of those
		users may have stored in their keys.

		Root may alter these by writing each new limit as a decimal number string to
		the appropriate file.


		===============================
		USERSPACE SYSTEM CALL INTERFACE
		===============================

+5 −0

Original line number	Diff line number	Diff line
		@@ -19,6 +19,7 @@
		#include <linux/list.h>
		#include <linux/rbtree.h>
		#include <linux/rcupdate.h>
		#include <linux/sysctl.h>
		#include <asm/atomic.h>

		#ifdef __KERNEL__
		@@ -265,6 +266,10 @@ extern struct key *key_lookup(key_serial_t id);

		#define key_serial(key) ((key) ? (key)->serial : 0)

		#ifdef CONFIG_SYSCTL
		extern ctl_table key_sysctls[];
		#endif

		/*
		* the userspace interface
		*/

+9 −0

Original line number	Diff line number	Diff line
		@@ -38,6 +38,7 @@
		#include <linux/writeback.h>
		#include <linux/hugetlb.h>
		#include <linux/initrd.h>
		#include <linux/key.h>
		#include <linux/times.h>
		#include <linux/limits.h>
		#include <linux/dcache.h>
		@@ -809,6 +810,14 @@ static struct ctl_table kern_table[] = {
		.proc_handler = &proc_dostring,
		.strategy = &sysctl_string,
		},
		#ifdef CONFIG_KEYS
		{
		.ctl_name = CTL_UNNUMBERED,
		.procname = "keys",
		.mode = 0555,
		.child = key_sysctls,
		},
		#endif
		/*
		* NOTE: do not add new entries to this table unless you have read
		* Documentation/sysctl/ctl_unnumbered.txt

+1 −0

Original line number	Diff line number	Diff line
		@@ -14,3 +14,4 @@ obj-y := \

		obj-$(CONFIG_KEYS_COMPAT) += compat.o
		obj-$(CONFIG_PROC_FS) += proc.o
		obj-$(CONFIG_SYSCTL) += sysctl.o

+10 −4

Original line number	Diff line number	Diff line
		@@ -57,10 +57,6 @@ struct key_user {
		int qnbytes; /* number of bytes allocated to this user */
		};

		#define KEYQUOTA_MAX_KEYS 100
		#define KEYQUOTA_MAX_BYTES 10000
		#define KEYQUOTA_LINK_BYTES 4 /* a link in a keyring is worth 4 bytes */

		extern struct rb_root key_user_tree;
		extern spinlock_t key_user_lock;
		extern struct key_user root_key_user;
		@@ -68,6 +64,16 @@ extern struct key_user root_key_user;
		extern struct key_user *key_user_lookup(uid_t uid);
		extern void key_user_put(struct key_user *user);

		/*
		* key quota limits
		* - root has its own separate limits to everyone else
		*/
		extern unsigned key_quota_root_maxkeys;
		extern unsigned key_quota_root_maxbytes;
		extern unsigned key_quota_maxkeys;
		extern unsigned key_quota_maxbytes;

		#define KEYQUOTA_LINK_BYTES 4 /* a link in a keyring is worth 4 bytes */


		extern struct rb_root key_serial_tree;