Implement /proc/sys/kernel/keys/maxkeys.

milantracy · gvisor-bot · commit 2a3e16f4b420 · 2025-11-25T12:13:43.000-08:00
PiperOrigin-RevId: 836764402
diff --git a/pkg/sentry/fsimpl/proc/BUILD b/pkg/sentry/fsimpl/proc/BUILD
@@ -75,6 +75,7 @@ go_library(
         "fd_dir_inode_refs.go",
         "fd_info_dir_inode_refs.go",
         "filesystem.go",
+        "keys.go",
         "proc_impl.go",
         "subtasks.go",
         "subtasks_inode_refs.go",
diff --git a/pkg/sentry/fsimpl/proc/keys.go b/pkg/sentry/fsimpl/proc/keys.go
@@ -0,0 +1,78 @@
+// Copyright 2025 The gVisor Authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package proc
+
+import (
+	"bytes"
+	"fmt"
+
+	"gvisor.dev/gvisor/pkg/abi/linux"
+	"gvisor.dev/gvisor/pkg/atomicbitops"
+	"gvisor.dev/gvisor/pkg/context"
+	"gvisor.dev/gvisor/pkg/errors/linuxerr"
+	"gvisor.dev/gvisor/pkg/sentry/fsimpl/kernfs"
+	"gvisor.dev/gvisor/pkg/sentry/kernel"
+	"gvisor.dev/gvisor/pkg/sentry/kernel/auth"
+	"gvisor.dev/gvisor/pkg/sentry/vfs"
+	"gvisor.dev/gvisor/pkg/usermem"
+)
+
+func (fs *filesystem) newMaxKeySizeFile(ctx context.Context, k *kernel.Kernel, creds *auth.Credentials) kernfs.Inode {
+	s := &maxKeySize{maxKeys: &k.MaxKeySetSize}
+	s.Init(ctx, creds, linux.UNNAMED_MAJOR, fs.devMinor, fs.NextIno(), s, 0644)
+	return s
+}
+
+// maxKeySize implements vfs.WritableDynamicBytesSource for
+// /proc/sys/kernel/keys/maxkeys.
+//
+// +stateify savable
+type maxKeySize struct {
+	kernfs.DynamicBytesFile
+
+	// maxKeys is the maximum number of keys allowed in a key set.
+	maxKeys *atomicbitops.Int32
+}
+
+var _ vfs.WritableDynamicBytesSource = (*maxKeySize)(nil)
+
+// Generate implements vfs.DynamicBytesSource.Generate.
+func (s *maxKeySize) Generate(ctx context.Context, buf *bytes.Buffer) error {
+	_, err := fmt.Fprintf(buf, "%d\n", s.maxKeys.Load())
+	return err
+}
+
+// Write implements vfs.WritableDynamicBytesSource.Write.
+func (s *maxKeySize) Write(ctx context.Context, _ *vfs.FileDescription, src usermem.IOSequence, offset int64) (int64, error) {
+	if offset != 0 {
+		// Ignore partial writes.
+		return 0, linuxerr.EINVAL
+	}
+	if !auth.CredentialsFromContext(ctx).HasCapability(linux.CAP_SYS_ADMIN) {
+		return 0, linuxerr.EPERM
+	}
+	buf := make([]int32, 1)
+	n, err := ParseInt32Vec(ctx, src, buf)
+	if err != nil || n == 0 {
+		return 0, err
+	}
+
+	if buf[0] <= 0 {
+		return 0, linuxerr.EINVAL
+	}
+
+	s.maxKeys.Store(buf[0])
+	return n, nil
+}
diff --git a/pkg/sentry/fsimpl/proc/tasks_sys.go b/pkg/sentry/fsimpl/proc/tasks_sys.go
@@ -66,6 +66,9 @@ func (fs *filesystem) newSysDir(ctx context.Context, root *auth.Credentials, k *
 			"yama": fs.newStaticDir(ctx, root, map[string]kernfs.Inode{
 				"ptrace_scope": fs.newYAMAPtraceScopeFile(ctx, k, root),
 			}),
+			"keys": fs.newStaticDir(ctx, root, map[string]kernfs.Inode{
+				"maxkeys": fs.newMaxKeySizeFile(ctx, k, root),
+			}),
 		}),
 		"fs": fs.newStaticDir(ctx, root, map[string]kernfs.Inode{
 			"nr_open": fs.newInode(ctx, root, 0644, &atomicInt32File{val: &k.MaxFDLimit, min: 8, max: kernel.MaxFdLimit}),
diff --git a/pkg/sentry/kernel/auth/key.go b/pkg/sentry/kernel/auth/key.go
@@ -63,10 +63,10 @@ const (
 	// Corresponds to `KEY_MAX_DESC_SIZE` in Linux.
 	MaxKeyDescSize = 4096
 
-	// maxSetSize is the maximum number of a keys in a `Set`.
+	// MaxSetSize is the default maximum number of keys in a `KeySet`.
 	// By default, Linux limits this number to 200 per non-root user.
 	// Here, we limit it to 200 per Set, which is stricter.
-	maxSetSize = 200
+	MaxSetSize = 200
 )
 
 // Key represents a key in the keyrings subsystem.
@@ -361,13 +361,13 @@ func getNewID() (KeySerial, error) {
 }
 
 // Add adds a new Key to the KeySet.
-func (s *LockedKeySet) Add(description string, creds *Credentials, perms KeyPermissions) (*Key, error) {
+func (s *LockedKeySet) Add(description string, creds *Credentials, perms KeyPermissions, keySizeLimit int) (*Key, error) {
 	if len(description) >= MaxKeyDescSize {
 		return nil, linuxerr.EINVAL
 	}
 	s.mu.Lock()
 	defer s.mu.Unlock()
-	if len(s.keys) >= maxSetSize {
+	if len(s.keys) >= keySizeLimit {
 		return nil, linuxerr.EDQUOT
 	}
 	newID, err := getNewID()
diff --git a/pkg/sentry/kernel/kernel.go b/pkg/sentry/kernel/kernel.go
@@ -401,6 +401,9 @@ type Kernel struct {
 
 	// AllowSUID determines if the SUID/SGID bits are honored during execve.
 	AllowSUID bool
+
+	// MaxKeySetSize is the maximum number of keys in a key set.
+	MaxKeySetSize atomicbitops.Int32
 }
 
 // InitKernelArgs holds arguments to Init.
@@ -581,6 +584,7 @@ func (k *Kernel) Init(args InitKernelArgs) error {
 
 	k.cgroupRegistry = newCgroupRegistry()
 	k.UnixSocketOpts = args.UnixSocketOpts
+	k.MaxKeySetSize = atomicbitops.FromInt32(auth.MaxSetSize)
 	return nil
 }
 
diff --git a/pkg/sentry/kernel/task_key.go b/pkg/sentry/kernel/task_key.go
@@ -48,7 +48,7 @@ func (t *Task) joinNewSessionKeyringLocked(newKeyDesc string, newKeyPerms auth.K
 	err := t.UserNamespace().Keys.Do(func(keySet *auth.LockedKeySet) error {
 		creds := t.Credentials()
 		var err error
-		sessionKeyring, err = keySet.Add(newKeyDesc, creds, newKeyPerms)
+		sessionKeyring, err = keySet.Add(newKeyDesc, creds, newKeyPerms, int(t.Kernel().MaxKeySetSize.Load()))
 		return err
 	})
 	if err != nil {
diff --git a/test/syscalls/linux/proc.cc b/test/syscalls/linux/proc.cc
@@ -71,6 +71,7 @@
 #include "test/util/eventfd_util.h"
 #include "test/util/file_descriptor.h"
 #include "test/util/fs_util.h"
+#include "test/util/linux_capability_util.h"
 #include "test/util/memory_util.h"
 #include "test/util/mount_util.h"
 #include "test/util/multiprocess_util.h"
@@ -3085,6 +3086,35 @@ TEST(ProcFilesystems, OverflowID) {
   EXPECT_EQ(overflowUid, defaultOverflowID);
 }
 
+TEST(ProcSysKernelKeysMax, Exists) {
+  auto maxkeys =
+      ASSERT_NO_ERRNO_AND_VALUE(GetContents("/proc/sys/kernel/keys/maxkeys"));
+  int32_t mk;
+  ASSERT_TRUE(absl::SimpleAtoi(maxkeys, &mk));
+  EXPECT_EQ(mk, 200);
+}
+
+TEST(ProcSysKernelKeysMax, InvalidMaxKeysValue) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_SYS_ADMIN)));
+  ASSERT_THAT(SetContents("/proc/sys/kernel/keys/maxkeys", "-1"),
+              PosixErrorIs(EINVAL));
+  auto maxkeys =
+      ASSERT_NO_ERRNO_AND_VALUE(GetContents("/proc/sys/kernel/keys/maxkeys"));
+  int32_t mk;
+  ASSERT_TRUE(absl::SimpleAtoi(maxkeys, &mk));
+  EXPECT_EQ(mk, 200);
+}
+
+TEST(ProcSysKernelKeysMax, SetMaxKeys) {
+  SKIP_IF(!ASSERT_NO_ERRNO_AND_VALUE(HaveCapability(CAP_SYS_ADMIN)));
+  ASSERT_NO_ERRNO(SetContents("/proc/sys/kernel/keys/maxkeys", "100"));
+  auto maxkeys =
+      ASSERT_NO_ERRNO_AND_VALUE(GetContents("/proc/sys/kernel/keys/maxkeys"));
+  int32_t mk;
+  ASSERT_TRUE(absl::SimpleAtoi(maxkeys, &mk));
+  EXPECT_EQ(mk, 100);
+}
+
 }  // namespace
 }  // namespace testing
 }  // namespace gvisor

Original file line number	Diff line number	Diff line change
`@@ -401,6 +401,9 @@ type Kernel struct {`
`401`	`401`
`402`	`402`	`// AllowSUID determines if the SUID/SGID bits are honored during execve.`
`403`	`403`	`AllowSUID bool`
	`404`	`+`
	`405`	`+ // MaxKeySetSize is the maximum number of keys in a key set.`
	`406`	`+ MaxKeySetSize atomicbitops.Int32`
`404`	`407`	`}`
`405`	`408`
`406`	`409`	`// InitKernelArgs holds arguments to Init.`
`@@ -581,6 +584,7 @@ func (k *Kernel) Init(args InitKernelArgs) error {`
`581`	`584`
`582`	`585`	`k.cgroupRegistry = newCgroupRegistry()`
`583`	`586`	`k.UnixSocketOpts = args.UnixSocketOpts`
	`587`	`+ k.MaxKeySetSize = atomicbitops.FromInt32(auth.MaxSetSize)`
`584`	`588`	`return nil`
`585`	`589`	`}`
`586`	`590`