Linux: don't count pag keys against root's keyring quotas

Keys associated with PAGs are created with root ownership for
security reasons, which means that they count agains root's
keyring quotas.  The default configuration used by most distros
restricts root to the same quotas as a regular user, so a single
user can potentially fill up the quota and prevent new pags from
getting created system-wide.

This can also be an issue for busy multi-user systems where the
default maximum number of keys (200 currently) can easily be reached.

Reviewed-on: http://gerrit.openafs.org/1167
Reviewed-by: Marc Dionne <marc.c.dionne@gmail.com>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit a3812f211a56c0d6e0a7ff8a97f157707d3d8c28)

Change-Id: I5c12e55d98d5f887c60a7ae1cf1aa64f37282ce3
Reviewed-on: http://gerrit.openafs.org/1580
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>
(cherry picked from commit a27015099a1dc1e41001e4a4946848f958c6a09b)

diff --git a/src/afs/LINUX/osi_compat.h b/src/afs/LINUX/osi_compat.h
index bcbb42ac5e1c2e34548e84a075778922a85e1ed6..e4d0c28de64ef7ac351f1c25bb36c0e8ae3e4315 100644 (file)
--- a/src/afs/LINUX/osi_compat.h
+++ b/src/afs/LINUX/osi_compat.h
@@ -136,4 +136,12 @@ init_once_func(void * foo) {
 #define KALLOC_TYPE GFP_KERNEL
 #endif
 
+#ifdef LINUX_KEYRING_SUPPORT
+# ifndef KEY_ALLOC_NOT_IN_QUOTA
+#  define KEY_ALLOC_NOT_IN_QUOTA 1
+# endif
+# ifndef KEY_ALLOC_IN_QUOTA
+#  define KEY_ALLOC_IN_QUOTA 0
+# endif
+#endif
 #endif

diff --git a/src/afs/LINUX/osi_groups.c b/src/afs/LINUX/osi_groups.c
index d5ef0351dc04ff70507f6ff0409ec3bed02dd9b7..c018dd1b46c6a01d5db79277e15ffd9fc89cdfcb 100644 (file)
--- a/src/afs/LINUX/osi_groups.c
+++ b/src/afs/LINUX/osi_groups.c
@@ -348,11 +348,14 @@ setpag(cred_t **cr, afs_uint32 pagvalue, afs_uint32 *newpag,
            perm |= KEY_USR_VIEW | KEY_USR_SEARCH;
 
 #if defined(KEY_ALLOC_NEEDS_STRUCT_TASK)
-           key = key_alloc(&key_type_afs_pag, "_pag", 0, 0, current, perm, 1);
+           key = key_alloc(&key_type_afs_pag, "_pag", 0, 0, current,
+                           perm, KEY_ALLOC_NOT_IN_QUOTA);
 #elif defined(KEY_ALLOC_NEEDS_CRED)
-           key = key_alloc(&key_type_afs_pag, "_pag", 0, 0, current_cred(), perm, 1);
+           key = key_alloc(&key_type_afs_pag, "_pag", 0, 0, current_cred(),
+                           perm, KEY_ALLOC_NOT_IN_QUOTA);
 #else
-           key = key_alloc(&key_type_afs_pag, "_pag", 0, 0, perm, 1);
+           key = key_alloc(&key_type_afs_pag, "_pag", 0, 0, perm,
+                           KEY_ALLOC_NOT_IN_QUOTA);
 #endif
 
            if (!IS_ERR(key)) {