diff options
Diffstat (limited to 'security/keys/key.c')
| -rw-r--r-- | security/keys/key.c | 23 |
1 files changed, 18 insertions, 5 deletions
diff --git a/security/keys/key.c b/security/keys/key.c index 46f125aa7fa3..14948cf83ef6 100644 --- a/security/keys/key.c +++ b/security/keys/key.c | |||
| @@ -27,6 +27,11 @@ DEFINE_SPINLOCK(key_serial_lock); | |||
| 27 | struct rb_root key_user_tree; /* tree of quota records indexed by UID */ | 27 | struct rb_root key_user_tree; /* tree of quota records indexed by UID */ |
| 28 | DEFINE_SPINLOCK(key_user_lock); | 28 | DEFINE_SPINLOCK(key_user_lock); |
| 29 | 29 | ||
| 30 | unsigned int key_quota_root_maxkeys = 200; /* root's key count quota */ | ||
| 31 | unsigned int key_quota_root_maxbytes = 20000; /* root's key space quota */ | ||
| 32 | unsigned int key_quota_maxkeys = 200; /* general key count quota */ | ||
| 33 | unsigned int key_quota_maxbytes = 20000; /* general key space quota */ | ||
| 34 | |||
| 30 | static LIST_HEAD(key_types_list); | 35 | static LIST_HEAD(key_types_list); |
| 31 | static DECLARE_RWSEM(key_types_sem); | 36 | static DECLARE_RWSEM(key_types_sem); |
| 32 | 37 | ||
| @@ -236,11 +241,16 @@ struct key *key_alloc(struct key_type *type, const char *desc, | |||
| 236 | /* check that the user's quota permits allocation of another key and | 241 | /* check that the user's quota permits allocation of another key and |
| 237 | * its description */ | 242 | * its description */ |
| 238 | if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { | 243 | if (!(flags & KEY_ALLOC_NOT_IN_QUOTA)) { |
| 244 | unsigned maxkeys = (uid == 0) ? | ||
| 245 | key_quota_root_maxkeys : key_quota_maxkeys; | ||
| 246 | unsigned maxbytes = (uid == 0) ? | ||
| 247 | key_quota_root_maxbytes : key_quota_maxbytes; | ||
| 248 | |||
| 239 | spin_lock(&user->lock); | 249 | spin_lock(&user->lock); |
| 240 | if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { | 250 | if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { |
| 241 | if (user->qnkeys + 1 >= KEYQUOTA_MAX_KEYS || | 251 | if (user->qnkeys + 1 >= maxkeys || |
| 242 | user->qnbytes + quotalen >= KEYQUOTA_MAX_BYTES | 252 | user->qnbytes + quotalen >= maxbytes || |
| 243 | ) | 253 | user->qnbytes + quotalen < user->qnbytes) |
| 244 | goto no_quota; | 254 | goto no_quota; |
| 245 | } | 255 | } |
| 246 | 256 | ||
| @@ -345,11 +355,14 @@ int key_payload_reserve(struct key *key, size_t datalen) | |||
| 345 | 355 | ||
| 346 | /* contemplate the quota adjustment */ | 356 | /* contemplate the quota adjustment */ |
| 347 | if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { | 357 | if (delta != 0 && test_bit(KEY_FLAG_IN_QUOTA, &key->flags)) { |
| 358 | unsigned maxbytes = (key->user->uid == 0) ? | ||
| 359 | key_quota_root_maxbytes : key_quota_maxbytes; | ||
| 360 | |||
| 348 | spin_lock(&key->user->lock); | 361 | spin_lock(&key->user->lock); |
| 349 | 362 | ||
| 350 | if (delta > 0 && | 363 | if (delta > 0 && |
| 351 | key->user->qnbytes + delta > KEYQUOTA_MAX_BYTES | 364 | (key->user->qnbytes + delta >= maxbytes || |
| 352 | ) { | 365 | key->user->qnbytes + delta < key->user->qnbytes)) { |
| 353 | ret = -EDQUOT; | 366 | ret = -EDQUOT; |
| 354 | } | 367 | } |
| 355 | else { | 368 | else { |