diff options
author | Eric Biggers <ebiggers@google.com> | 2019-02-14 16:20:01 +0000 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-05-02 21:41:56 +0100 |
commit | 980e41e1b9db1a32b382efdd08c4b7c70b5dbd24 (patch) | |
tree | 50004c88eddacde7dafdac7a601a8b97537af34c /security | |
parent | 7b6680ca5482fe242e03afe4fde213055a9b7f90 (diff) |
KEYS: allow reaching the keys quotas exactly
commit a08bf91ce28ed3ae7b6fef35d843fef8dc8c2cd9 upstream.
If the sysctl 'kernel.keys.maxkeys' is set to some number n, then
actually users can only add up to 'n - 1' keys. Likewise for
'kernel.keys.maxbytes' and the root_* versions of these sysctls. But
these sysctls are apparently supposed to be *maximums*, as per their
names and all documentation I could find -- the keyrings(7) man page,
Documentation/security/keys/core.rst, and all the mentions of EDQUOT
meaning that the key quota was *exceeded* (as opposed to reached).
Thus, fix the code to allow reaching the quotas exactly.
Fixes: 0b77f5bfb45c ("keys: make the keyring quotas controllable through /proc/sys")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: James Morris <james.morris@microsoft.com>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Diffstat (limited to 'security')
-rw-r--r-- | security/keys/key.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/security/keys/key.c b/security/keys/key.c index c55a01471ea2..e766e3511111 100644 --- a/security/keys/key.c +++ b/security/keys/key.c @@ -260,8 +260,8 @@ struct key *key_alloc(struct key_type *type, const char *desc, spin_lock(&user->lock); if (!(flags & KEY_ALLOC_QUOTA_OVERRUN)) { - if (user->qnkeys + 1 >= maxkeys || - user->qnbytes + quotalen >= maxbytes || + if (user->qnkeys + 1 > maxkeys || + user->qnbytes + quotalen > maxbytes || user->qnbytes + quotalen < user->qnbytes) goto no_quota; } |