Commit a08bf91c authored Feb 14, 2019 by Eric Biggers Committed by James Morris Feb 15, 2019

KEYS: allow reaching the keys quotas exactly



If the sysctl 'kernel.keys.maxkeys' is set to some number n, then
actually users can only add up to 'n - 1' keys.  Likewise for
'kernel.keys.maxbytes' and the root_* versions of these sysctls.  But
these sysctls are apparently supposed to be *maximums*, as per their
names and all documentation I could find -- the keyrings(7) man page,
Documentation/security/keys/core.rst, and all the mentions of EDQUOT
meaning that the key quota was *exceeded* (as opposed to reached).

Thus, fix the code to allow reaching the quotas exactly.

Fixes: 0b77f5bf ("keys: make the keyring quotas controllable through /proc/sys")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>

parent 5ded5871

security/keys/key.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -265,8 +265,8 @@ struct key key_alloc(struct key_type type, const char *desc,

		spin_lock(&user->lock);
		if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) {
		if (user->qnkeys + 1 >= maxkeys \|\|
		user->qnbytes + quotalen >= maxbytes \|\|
		if (user->qnkeys + 1 > maxkeys \|\|
		user->qnbytes + quotalen > maxbytes \|\|
		user->qnbytes + quotalen < user->qnbytes)
		goto no_quota;
		}

Admin message