Linux: don't count pag keys against root's keyring quotas

Keys associated with PAGs are created with root ownership for
security reasons, which means that they count agains root's
keyring quotas.  The default configuration used by most distros
restricts root to the same quotas as a regular user, so a single
user can potentially fill up the quota and prevent new pags from
getting created system-wide.
This can also be an issue for busy multi-user systems where the
default maximum number of keys (200 currently) can easily be reached.

Change-Id: I37e3f3d881facff9b14f2057b404d4b441e72305
Change-Id: Id1ef2d5a7109d8ee7c08aa81dfd98ecf951c8ba8
Reviewed-on: http://gerrit.openafs.org/1167
Reviewed-by: Marc Dionne <marc.c.dionne@gmail.com>
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>

diff --git a/src/afs/LINUX/osi_compat.h b/src/afs/LINUX/osi_compat.h
index 866d3fc..5e52056 100644 (file)
--- a/src/afs/LINUX/osi_compat.h
+++ b/src/afs/LINUX/osi_compat.h
@@ -194,4 +194,12 @@ afs_linux_cred_is_current(afs_ucred_t *cred)
 }
 #endif
 
+#ifdef LINUX_KEYRING_SUPPORT
+# ifndef KEY_ALLOC_NOT_IN_QUOTA
+#  define KEY_ALLOC_NOT_IN_QUOTA 1
+# endif
+# ifndef KEY_ALLOC_IN_QUOTA
+#  define KEY_ALLOC_IN_QUOTA 0
+# endif
+#endif
 #endif

diff --git a/src/afs/LINUX/osi_groups.c b/src/afs/LINUX/osi_groups.c
index 835e1e2..b1fc848 100644 (file)
--- a/src/afs/LINUX/osi_groups.c
+++ b/src/afs/LINUX/osi_groups.c
@@ -236,7 +236,7 @@ setpag(cred_t **cr, afs_uint32 pagvalue, afs_uint32 *newpag,
            perm = KEY_POS_VIEW | KEY_POS_SEARCH;
            perm |= KEY_USR_VIEW | KEY_USR_SEARCH;
 
-           key = afs_linux_key_alloc(&key_type_afs_pag, "_pag", 0, 0, perm, 1);
+           key = afs_linux_key_alloc(&key_type_afs_pag, "_pag", 0, 0, perm, KEY_ALLOC_NOT_IN_QUOTA);
 
            if (!IS_ERR(key)) {
                key_instantiate_and_link(key, (void *) newpag, sizeof(afs_uint32),