Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/landlock/id.c
29265 views
1
// SPDX-License-Identifier: GPL-2.0-only

2
/*

3
 * Landlock - Unique identification number generator

4
 *

5
 * Copyright © 2024-2025 Microsoft Corporation

6
 */

7


8
#include <kunit/test.h>

9
#include <linux/atomic.h>

10
#include <linux/bitops.h>

11
#include <linux/random.h>

12
#include <linux/spinlock.h>

13


14
#include "common.h"

15
#include "id.h"

16


17
#define COUNTER_PRE_INIT 0

18


19
static atomic64_t next_id = ATOMIC64_INIT(COUNTER_PRE_INIT);

20


21
static void __init init_id(atomic64_t *const counter, const u32 random_32bits)

22
{

23
	u64 init;

24


25
	/*

26
	 * Ensures sure 64-bit values are always used by user space (or may

27
	 * fail with -EOVERFLOW), and makes this testable.

28
	 */

29
	init = BIT_ULL(32);

30


31
	/*

32
	 * Makes a large (2^32) boot-time value to limit ID collision in logs

33
	 * from different boots, and to limit info leak about the number of

34
	 * initially (relative to the reader) created elements (e.g. domains).

35
	 */

36
	init += random_32bits;

37


38
	/* Sets first or ignores.  This will be the first ID. */

39
	atomic64_cmpxchg(counter, COUNTER_PRE_INIT, init);

40
}

41


42
#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST

43


44
static void __init test_init_min(struct kunit *const test)

45
{

46
	atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);

47


48
	init_id(&counter, 0);

49
	KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1ULL + U32_MAX);

50
}

51


52
static void __init test_init_max(struct kunit *const test)

53
{

54
	atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);

55


56
	init_id(&counter, ~0);

57
	KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1 + (2ULL * U32_MAX));

58
}

59


60
static void __init test_init_once(struct kunit *const test)

61
{

62
	const u64 first_init = 1ULL + U32_MAX;

63
	atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);

64


65
	init_id(&counter, 0);

66
	KUNIT_EXPECT_EQ(test, atomic64_read(&counter), first_init);

67


68
	init_id(&counter, ~0);

69
	KUNIT_EXPECT_EQ_MSG(

70
		test, atomic64_read(&counter), first_init,

71
		"Should still have the same value after the subsequent init_id()");

72
}

73


74
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */

75


76
void __init landlock_init_id(void)

77
{

78
	return init_id(&next_id, get_random_u32());

79
}

80


81
/*

82
 * It's not worth it to try to hide the monotonic counter because it can still

83
 * be inferred (with N counter ranges), and if we are allowed to read the inode

84
 * number we should also be allowed to read the time creation anyway, and it

85
 * can be handy to store and sort domain IDs for user space.

86
 *

87
 * Returns the value of next_id and increment it to let some space for the next

88
 * one.

89
 */

90
static u64 get_id_range(size_t number_of_ids, atomic64_t *const counter,

91
			u8 random_4bits)

92
{

93
	u64 id, step;

94


95
	/*

96
	 * We should return at least 1 ID, and we may need a set of consecutive

97
	 * ones (e.g. to generate a set of inodes).

98
	 */

99
	if (WARN_ON_ONCE(number_of_ids <= 0))

100
		number_of_ids = 1;

101


102
	/*

103
	 * Blurs the next ID guess with 1/16 ratio.  We get 2^(64 - 4) -

104
	 * (2 * 2^32), so a bit less than 2^60 available IDs, which should be

105
	 * much more than enough considering the number of CPU cycles required

106
	 * to get a new ID (e.g. a full landlock_restrict_self() call), and the

107
	 * cost of draining all available IDs during the system's uptime.

108
	 */

109
	random_4bits &= 0b1111;

110
	step = number_of_ids + random_4bits;

111


112
	/* It is safe to cast a signed atomic to an unsigned value. */

113
	id = atomic64_fetch_add(step, counter);

114


115
	/* Warns if landlock_init_id() was not called. */

116
	WARN_ON_ONCE(id == COUNTER_PRE_INIT);

117
	return id;

118
}

119


120
#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST

121


122
static u8 get_random_u8_positive(void)

123
{

124
	/* max() evaluates its arguments once. */

125
	return max(1, get_random_u8());

126
}

127


128
static void test_range1_rand0(struct kunit *const test)

129
{

130
	atomic64_t counter;

131
	u64 init;

132


133
	init = get_random_u32();

134
	atomic64_set(&counter, init);

135
	KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 0), init);

136
	KUNIT_EXPECT_EQ(test,

137
			get_id_range(get_random_u8_positive(), &counter,

138
				     get_random_u8()),

139
			init + 1);

140
}

141


142
static void test_range1_rand1(struct kunit *const test)

143
{

144
	atomic64_t counter;

145
	u64 init;

146


147
	init = get_random_u32();

148
	atomic64_set(&counter, init);

149
	KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 1), init);

150
	KUNIT_EXPECT_EQ(test,

151
			get_id_range(get_random_u8_positive(), &counter,

152
				     get_random_u8()),

153
			init + 2);

154
}

155


156
static void test_range1_rand15(struct kunit *const test)

157
{

158
	atomic64_t counter;

159
	u64 init;

160


161
	init = get_random_u32();

162
	atomic64_set(&counter, init);

163
	KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 15), init);

164
	KUNIT_EXPECT_EQ(test,

165
			get_id_range(get_random_u8_positive(), &counter,

166
				     get_random_u8()),

167
			init + 16);

168
}

169


170
static void test_range1_rand16(struct kunit *const test)

171
{

172
	atomic64_t counter;

173
	u64 init;

174


175
	init = get_random_u32();

176
	atomic64_set(&counter, init);

177
	KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 16), init);

178
	KUNIT_EXPECT_EQ(test,

179
			get_id_range(get_random_u8_positive(), &counter,

180
				     get_random_u8()),

181
			init + 1);

182
}

183


184
static void test_range2_rand0(struct kunit *const test)

185
{

186
	atomic64_t counter;

187
	u64 init;

188


189
	init = get_random_u32();

190
	atomic64_set(&counter, init);

191
	KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 0), init);

192
	KUNIT_EXPECT_EQ(test,

193
			get_id_range(get_random_u8_positive(), &counter,

194
				     get_random_u8()),

195
			init + 2);

196
}

197


198
static void test_range2_rand1(struct kunit *const test)

199
{

200
	atomic64_t counter;

201
	u64 init;

202


203
	init = get_random_u32();

204
	atomic64_set(&counter, init);

205
	KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 1), init);

206
	KUNIT_EXPECT_EQ(test,

207
			get_id_range(get_random_u8_positive(), &counter,

208
				     get_random_u8()),

209
			init + 3);

210
}

211


212
static void test_range2_rand2(struct kunit *const test)

213
{

214
	atomic64_t counter;

215
	u64 init;

216


217
	init = get_random_u32();

218
	atomic64_set(&counter, init);

219
	KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 2), init);

220
	KUNIT_EXPECT_EQ(test,

221
			get_id_range(get_random_u8_positive(), &counter,

222
				     get_random_u8()),

223
			init + 4);

224
}

225


226
static void test_range2_rand15(struct kunit *const test)

227
{

228
	atomic64_t counter;

229
	u64 init;

230


231
	init = get_random_u32();

232
	atomic64_set(&counter, init);

233
	KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 15), init);

234
	KUNIT_EXPECT_EQ(test,

235
			get_id_range(get_random_u8_positive(), &counter,

236
				     get_random_u8()),

237
			init + 17);

238
}

239


240
static void test_range2_rand16(struct kunit *const test)

241
{

242
	atomic64_t counter;

243
	u64 init;

244


245
	init = get_random_u32();

246
	atomic64_set(&counter, init);

247
	KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 16), init);

248
	KUNIT_EXPECT_EQ(test,

249
			get_id_range(get_random_u8_positive(), &counter,

250
				     get_random_u8()),

251
			init + 2);

252
}

253


254
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */

255


256
/**

257
 * landlock_get_id_range - Get a range of unique IDs

258
 *

259
 * @number_of_ids: Number of IDs to hold.  Must be greater than one.

260
 *

261
 * Returns: The first ID in the range.

262
 */

263
u64 landlock_get_id_range(size_t number_of_ids)

264
{

265
	return get_id_range(number_of_ids, &next_id, get_random_u8());

266
}

267


268
#ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST

269


270
static struct kunit_case __refdata test_cases[] = {

271
	/* clang-format off */

272
	KUNIT_CASE(test_init_min),

273
	KUNIT_CASE(test_init_max),

274
	KUNIT_CASE(test_init_once),

275
	KUNIT_CASE(test_range1_rand0),

276
	KUNIT_CASE(test_range1_rand1),

277
	KUNIT_CASE(test_range1_rand15),

278
	KUNIT_CASE(test_range1_rand16),

279
	KUNIT_CASE(test_range2_rand0),

280
	KUNIT_CASE(test_range2_rand1),

281
	KUNIT_CASE(test_range2_rand2),

282
	KUNIT_CASE(test_range2_rand15),

283
	KUNIT_CASE(test_range2_rand16),

284
	{}

285
	/* clang-format on */

286
};

287


288
static struct kunit_suite test_suite = {

289
	.name = "landlock_id",

290
	.test_cases = test_cases,

291
};

292


293
kunit_test_init_section_suite(test_suite);

294


295
#endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */

296


297