|
|
@@ -0,0 +1,59 @@
|
|
|
+// +build linux
|
|
|
+
|
|
|
+package daemon
|
|
|
+
|
|
|
+import (
|
|
|
+ "fmt"
|
|
|
+ "io/ioutil"
|
|
|
+ "os"
|
|
|
+ "strconv"
|
|
|
+ "strings"
|
|
|
+)
|
|
|
+
|
|
|
+const (
|
|
|
+ rootKeyFile = "/proc/sys/kernel/keys/root_maxkeys"
|
|
|
+ rootBytesFile = "/proc/sys/kernel/keys/root_maxbytes"
|
|
|
+ rootKeyLimit = 1000000
|
|
|
+ // it is standard configuration to allocate 25 bytes per key
|
|
|
+ rootKeyByteMultiplier = 25
|
|
|
+)
|
|
|
+
|
|
|
+// ModifyRootKeyLimit checks to see if the root key limit is set to
|
|
|
+// at least 1000000 and changes it to that limit along with the maxbytes
|
|
|
+// allocated to the keys at a 25 to 1 multiplier.
|
|
|
+func ModifyRootKeyLimit() error {
|
|
|
+ value, err := readRootKeyLimit(rootKeyFile)
|
|
|
+ if err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
+ if value < rootKeyLimit {
|
|
|
+ return setRootKeyLimit(rootKeyLimit)
|
|
|
+ }
|
|
|
+ return nil
|
|
|
+}
|
|
|
+
|
|
|
+func setRootKeyLimit(limit int) error {
|
|
|
+ keys, err := os.OpenFile(rootKeyFile, os.O_WRONLY, 0)
|
|
|
+ if err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
+ defer keys.Close()
|
|
|
+ if _, err := fmt.Fprintf(keys, "%d", limit); err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
+ bytes, err := os.OpenFile(rootBytesFile, os.O_WRONLY, 0)
|
|
|
+ if err != nil {
|
|
|
+ return err
|
|
|
+ }
|
|
|
+ defer bytes.Close()
|
|
|
+ _, err = fmt.Fprintf(bytes, "%d", limit*rootKeyByteMultiplier)
|
|
|
+ return err
|
|
|
+}
|
|
|
+
|
|
|
+func readRootKeyLimit(path string) (int, error) {
|
|
|
+ data, err := ioutil.ReadFile(path)
|
|
|
+ if err != nil {
|
|
|
+ return -1, err
|
|
|
+ }
|
|
|
+ return strconv.Atoi(strings.Trim(string(data), "\n"))
|
|
|
+}
|
Sebastiaan van Stijn