1 //! Functions related to the in-kernel key management and retention facility
2 //!
3 //! For more details on this facility, see the `keyrings(7)` man page.
4 //!
5 //! Additional functions can be found in the [keyring](crate::keyring) module.
6 use crate::{read_value, write_value, ProcResult};
7
8 /// GC Delay
9 ///
10 /// The value in this file specifies the interval, in seconds,
11 /// after which revoked and expired keys will be garbage collected.
12 /// The purpose of having such an interval is so that
13 /// there is a window of time where user space can see an error
14 /// (respectively EKEYREVOKED and EKEYEXPIRED) that indicates what
15 /// happened to the key.
16 ///
17 /// The default value in this file is 300 (i.e., 5 minutes).
18 ///
19 /// (since Linux 2.6.32)
gc_delay() -> ProcResult<u32>20 pub fn gc_delay() -> ProcResult<u32> {
21 read_value("/proc/sys/kernel/keys/gc_delay")
22 }
23
24 /// Persistent Keyring Expiry
25 ///
26 /// This file defines an interval, in seconds, to which the persistent
27 /// keyring's expiration timer is reset each time the
28 /// keyring is accessed (via keyctl_get_persistent(3) or the
29 /// keyctl(2) KEYCTL_GET_PERSISTENT operation.)
30 ///
31 /// The default value in this file is 259200 (i.e., 3 days).
32 ///
33 /// (Since Linux 3.13)
persistent_keyring_expiry() -> ProcResult<u32>34 pub fn persistent_keyring_expiry() -> ProcResult<u32> {
35 read_value("/proc/sys/kernel/keys/persistent_keyring_expiry")
36 }
37
38 /// Max bytes
39 ///
40 /// This is the maximum number of bytes of data that a nonroot
41 /// user can hold in the payloads of the keys owned by the user.
42 ///
43 /// The default value in this file is 20,000.
44 ///
45 /// (since linux 2.6.26)
maxbytes() -> ProcResult<u32>46 pub fn maxbytes() -> ProcResult<u32> {
47 read_value("/proc/sys/kernel/keys/maxbytes")
48 }
49
50 /// Set max bytes
set_maxbytes(bytes: u32) -> ProcResult<()>51 pub fn set_maxbytes(bytes: u32) -> ProcResult<()> {
52 write_value("/proc/sys/kernel/keys/maxbytes", bytes)
53 }
54
55 /// Max keys
56 ///
57 /// This is the maximum number of keys that a nonroot user may own.
58 ///
59 /// (since linux 2.6.26)
maxkeys() -> ProcResult<u32>60 pub fn maxkeys() -> ProcResult<u32> {
61 read_value("/proc/sys/kernel/keys/maxkeys")
62 }
63
64 /// Set max keys
set_maxkeys(keys: u32) -> ProcResult<()>65 pub fn set_maxkeys(keys: u32) -> ProcResult<()> {
66 write_value("/proc/sys/kernel/keys/maxkeys", keys)
67 }
68
69 /// Root maxbytes
70 ///
71 /// This is the maximum number of bytes of data that the root user
72 /// (UID 0 in the root user namespace) can hold in the payloads of
73 /// the keys owned by root.
74 ///
75 /// The default value in this file is 25,000,000 (20,000 before Linux 3.17).
76 ///
77 /// (since Linux 2.6.26)
root_maxbytes() -> ProcResult<u32>78 pub fn root_maxbytes() -> ProcResult<u32> {
79 read_value("/proc/sys/kernel/keys/root_maxbytes")
80 }
81
82 /// Set root maxbytes
set_root_maxbytes(bytes: u32) -> ProcResult<()>83 pub fn set_root_maxbytes(bytes: u32) -> ProcResult<()> {
84 write_value("/proc/sys/kernel/keys/root_maxbytes", bytes)
85 }
86
87 /// Root maxkeys
88 ///
89 /// This is the maximum number of keys that the root user (UID 0 in the root user namespace) may own.
90 ///
91 /// The default value in this file is 1,000,000 (200 before Linux 3.17).
92 /// (since Linux 2.6.26)
root_maxkeys() -> ProcResult<u32>93 pub fn root_maxkeys() -> ProcResult<u32> {
94 read_value("/proc/sys/kernel/keys/root_maxkeys")
95 }
96
97 /// Set root maxkeys
set_root_maxkeys(keys: u32) -> ProcResult<()>98 pub fn set_root_maxkeys(keys: u32) -> ProcResult<()> {
99 write_value("/proc/sys/kernel/keys/root_maxkeys", keys)
100 }
101
102 #[cfg(test)]
103 mod tests {
104 use crate::{ProcError, ProcResult};
105
check_unwrap<T>(val: ProcResult<T>)106 fn check_unwrap<T>(val: ProcResult<T>) {
107 match val {
108 Ok(_) => {}
109 Err(ProcError::NotFound(_)) => {
110 // ok to ignore
111 }
112 Err(e) => {
113 panic!("Unexpected proc error: {:?}", e);
114 }
115 }
116 }
117
118 #[test]
test_keys()119 fn test_keys() {
120 check_unwrap(super::gc_delay());
121 check_unwrap(super::persistent_keyring_expiry());
122 check_unwrap(super::maxbytes());
123 check_unwrap(super::maxkeys());
124 check_unwrap(super::root_maxbytes());
125 check_unwrap(super::root_maxkeys());
126 }
127 }
128