linux/security
David Howells 31d5a79d7f KEYS: Do LRU discard in full keyrings
Do an LRU discard in keyrings that are full rather than returning ENFILE.  To
perform this, a time_t is added to the key struct and updated by the creation
of a link to a key and by a key being found as the result of a search.  At the
completion of a successful search, the keyrings in the path between the root of
the search and the first found link to it also have their last-used times
updated.

Note that discarding a link to a key from a keyring does not necessarily
destroy the key as there may be references held by other places.

An alternate discard method that might suffice is to perform FIFO discard from
the keyring, using the spare 2-byte hole in the keylist header as the index of
the next link to be discarded.

This is useful when using a keyring as a cache for DNS results or foreign
filesystem IDs.


This can be tested by the following.  As root do:

	echo 1000 >/proc/sys/kernel/keys/root_maxkeys

	kr=`keyctl newring foo @s`
	for ((i=0; i<2000; i++)); do keyctl add user a$i a $kr; done

Without this patch ENFILE should be reported when the keyring fills up.  With
this patch, the keyring discards keys in an LRU fashion.  Note that the stored
LRU time has a granularity of 1s.

After doing this, /proc/key-users can be observed and should show that most of
the 2000 keys have been discarded:

	[root@andromeda ~]# cat /proc/key-users
	    0:   517 516/516 513/1000 5249/20000

The "513/1000" here is the number of quota-accounted keys present for this user
out of the maximum permitted.

In /proc/keys, the keyring shows the number of keys it has and the number of
slots it has allocated:

	[root@andromeda ~]# grep foo /proc/keys
	200c64c4 I--Q--     1 perm 3b3f0000     0     0 keyring   foo: 509/509

The maximum is (PAGE_SIZE - header) / key pointer size.  That's typically 509
on a 64-bit system and 1020 on a 32-bit system.

Signed-off-by: David Howells <dhowells@redhat.com>
2012-05-11 10:56:56 +01:00
..
apparmor Fix execve behavior apparmor for PR_{GET,SET}_NO_NEW_PRIVS 2012-04-14 11:13:18 +10:00
integrity security: fix ima kconfig warning 2012-02-28 11:01:15 +11:00
keys KEYS: Do LRU discard in full keyrings 2012-05-11 10:56:56 +01:00
selinux Add PR_{GET,SET}_NO_NEW_PRIVS to prevent execve from granting privs 2012-04-14 11:13:18 +10:00
smack Smack: move label list initialization 2012-04-18 12:02:28 +10:00
tomoyo usermodehelper: use UMH_WAIT_PROC consistently 2012-03-23 16:58:41 -07:00
yama Yama: remove an unused variable 2012-04-23 17:20:22 +10:00
Kconfig KEYS: Move the key config into security/keys/Kconfig 2012-05-11 10:56:56 +01:00
Makefile security: Yama LSM 2012-02-10 09:18:52 +11:00
capability.c security: create task_free security callback 2012-02-10 09:14:51 +11:00
commoncap.c Linux 3.4-rc5 2012-05-04 12:46:40 +10:00
device_cgroup.c cgroup: remove cgroup_subsys argument from callbacks 2012-02-02 09:20:22 -08:00
inode.c securityfs: fix object creation races 2012-01-10 10:20:35 -05:00
lsm_audit.c lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data' 2012-04-03 09:49:59 -07:00
min_addr.c mmap_min_addr check CAP_SYS_RAWIO only for write 2010-04-23 08:56:31 +10:00
security.c security: trim security.h 2012-02-14 10:45:42 +11:00