id.c 7.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * Landlock - Unique identification number generator
  4. *
  5. * Copyright © 2024-2025 Microsoft Corporation
  6. */
  7. #include <kunit/test.h>
  8. #include <linux/atomic.h>
  9. #include <linux/bitops.h>
  10. #include <linux/random.h>
  11. #include <linux/spinlock.h>
  12. #include "common.h"
  13. #include "id.h"
  14. #define COUNTER_PRE_INIT 0
  15. static atomic64_t next_id = ATOMIC64_INIT(COUNTER_PRE_INIT);
  16. static void __init init_id(atomic64_t *const counter, const u32 random_32bits)
  17. {
  18. u64 init;
  19. /*
  20. * Ensures sure 64-bit values are always used by user space (or may
  21. * fail with -EOVERFLOW), and makes this testable.
  22. */
  23. init = BIT_ULL(32);
  24. /*
  25. * Makes a large (2^32) boot-time value to limit ID collision in logs
  26. * from different boots, and to limit info leak about the number of
  27. * initially (relative to the reader) created elements (e.g. domains).
  28. */
  29. init += random_32bits;
  30. /* Sets first or ignores. This will be the first ID. */
  31. atomic64_cmpxchg(counter, COUNTER_PRE_INIT, init);
  32. }
  33. #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
  34. static void __init test_init_min(struct kunit *const test)
  35. {
  36. atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);
  37. init_id(&counter, 0);
  38. KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1ULL + U32_MAX);
  39. }
  40. static void __init test_init_max(struct kunit *const test)
  41. {
  42. atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);
  43. init_id(&counter, ~0);
  44. KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1 + (2ULL * U32_MAX));
  45. }
  46. static void __init test_init_once(struct kunit *const test)
  47. {
  48. const u64 first_init = 1ULL + U32_MAX;
  49. atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);
  50. init_id(&counter, 0);
  51. KUNIT_EXPECT_EQ(test, atomic64_read(&counter), first_init);
  52. init_id(&counter, ~0);
  53. KUNIT_EXPECT_EQ_MSG(
  54. test, atomic64_read(&counter), first_init,
  55. "Should still have the same value after the subsequent init_id()");
  56. }
  57. #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
  58. void __init landlock_init_id(void)
  59. {
  60. return init_id(&next_id, get_random_u32());
  61. }
  62. /*
  63. * It's not worth it to try to hide the monotonic counter because it can still
  64. * be inferred (with N counter ranges), and if we are allowed to read the inode
  65. * number we should also be allowed to read the time creation anyway, and it
  66. * can be handy to store and sort domain IDs for user space.
  67. *
  68. * Returns the value of next_id and increment it to let some space for the next
  69. * one.
  70. */
  71. static u64 get_id_range(size_t number_of_ids, atomic64_t *const counter,
  72. u8 random_4bits)
  73. {
  74. u64 id, step;
  75. /*
  76. * We should return at least 1 ID, and we may need a set of consecutive
  77. * ones (e.g. to generate a set of inodes).
  78. */
  79. if (WARN_ON_ONCE(number_of_ids <= 0))
  80. number_of_ids = 1;
  81. /*
  82. * Blurs the next ID guess with 1/16 ratio. We get 2^(64 - 4) -
  83. * (2 * 2^32), so a bit less than 2^60 available IDs, which should be
  84. * much more than enough considering the number of CPU cycles required
  85. * to get a new ID (e.g. a full landlock_restrict_self() call), and the
  86. * cost of draining all available IDs during the system's uptime.
  87. */
  88. random_4bits &= 0b1111;
  89. step = number_of_ids + random_4bits;
  90. /* It is safe to cast a signed atomic to an unsigned value. */
  91. id = atomic64_fetch_add(step, counter);
  92. /* Warns if landlock_init_id() was not called. */
  93. WARN_ON_ONCE(id == COUNTER_PRE_INIT);
  94. return id;
  95. }
  96. #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
  97. static u8 get_random_u8_positive(void)
  98. {
  99. /* max() evaluates its arguments once. */
  100. return max(1, get_random_u8());
  101. }
  102. static void test_range1_rand0(struct kunit *const test)
  103. {
  104. atomic64_t counter;
  105. u64 init;
  106. init = get_random_u32();
  107. atomic64_set(&counter, init);
  108. KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 0), init);
  109. KUNIT_EXPECT_EQ(test,
  110. get_id_range(get_random_u8_positive(), &counter,
  111. get_random_u8()),
  112. init + 1);
  113. }
  114. static void test_range1_rand1(struct kunit *const test)
  115. {
  116. atomic64_t counter;
  117. u64 init;
  118. init = get_random_u32();
  119. atomic64_set(&counter, init);
  120. KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 1), init);
  121. KUNIT_EXPECT_EQ(test,
  122. get_id_range(get_random_u8_positive(), &counter,
  123. get_random_u8()),
  124. init + 2);
  125. }
  126. static void test_range1_rand15(struct kunit *const test)
  127. {
  128. atomic64_t counter;
  129. u64 init;
  130. init = get_random_u32();
  131. atomic64_set(&counter, init);
  132. KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 15), init);
  133. KUNIT_EXPECT_EQ(test,
  134. get_id_range(get_random_u8_positive(), &counter,
  135. get_random_u8()),
  136. init + 16);
  137. }
  138. static void test_range1_rand16(struct kunit *const test)
  139. {
  140. atomic64_t counter;
  141. u64 init;
  142. init = get_random_u32();
  143. atomic64_set(&counter, init);
  144. KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 16), init);
  145. KUNIT_EXPECT_EQ(test,
  146. get_id_range(get_random_u8_positive(), &counter,
  147. get_random_u8()),
  148. init + 1);
  149. }
  150. static void test_range2_rand0(struct kunit *const test)
  151. {
  152. atomic64_t counter;
  153. u64 init;
  154. init = get_random_u32();
  155. atomic64_set(&counter, init);
  156. KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 0), init);
  157. KUNIT_EXPECT_EQ(test,
  158. get_id_range(get_random_u8_positive(), &counter,
  159. get_random_u8()),
  160. init + 2);
  161. }
  162. static void test_range2_rand1(struct kunit *const test)
  163. {
  164. atomic64_t counter;
  165. u64 init;
  166. init = get_random_u32();
  167. atomic64_set(&counter, init);
  168. KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 1), init);
  169. KUNIT_EXPECT_EQ(test,
  170. get_id_range(get_random_u8_positive(), &counter,
  171. get_random_u8()),
  172. init + 3);
  173. }
  174. static void test_range2_rand2(struct kunit *const test)
  175. {
  176. atomic64_t counter;
  177. u64 init;
  178. init = get_random_u32();
  179. atomic64_set(&counter, init);
  180. KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 2), init);
  181. KUNIT_EXPECT_EQ(test,
  182. get_id_range(get_random_u8_positive(), &counter,
  183. get_random_u8()),
  184. init + 4);
  185. }
  186. static void test_range2_rand15(struct kunit *const test)
  187. {
  188. atomic64_t counter;
  189. u64 init;
  190. init = get_random_u32();
  191. atomic64_set(&counter, init);
  192. KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 15), init);
  193. KUNIT_EXPECT_EQ(test,
  194. get_id_range(get_random_u8_positive(), &counter,
  195. get_random_u8()),
  196. init + 17);
  197. }
  198. static void test_range2_rand16(struct kunit *const test)
  199. {
  200. atomic64_t counter;
  201. u64 init;
  202. init = get_random_u32();
  203. atomic64_set(&counter, init);
  204. KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 16), init);
  205. KUNIT_EXPECT_EQ(test,
  206. get_id_range(get_random_u8_positive(), &counter,
  207. get_random_u8()),
  208. init + 2);
  209. }
  210. #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
  211. /**
  212. * landlock_get_id_range - Get a range of unique IDs
  213. *
  214. * @number_of_ids: Number of IDs to hold. Must be greater than one.
  215. *
  216. * Returns: The first ID in the range.
  217. */
  218. u64 landlock_get_id_range(size_t number_of_ids)
  219. {
  220. return get_id_range(number_of_ids, &next_id, get_random_u8());
  221. }
  222. #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
  223. static struct kunit_case __refdata test_cases[] = {
  224. /* clang-format off */
  225. KUNIT_CASE(test_init_min),
  226. KUNIT_CASE(test_init_max),
  227. KUNIT_CASE(test_init_once),
  228. KUNIT_CASE(test_range1_rand0),
  229. KUNIT_CASE(test_range1_rand1),
  230. KUNIT_CASE(test_range1_rand15),
  231. KUNIT_CASE(test_range1_rand16),
  232. KUNIT_CASE(test_range2_rand0),
  233. KUNIT_CASE(test_range2_rand1),
  234. KUNIT_CASE(test_range2_rand2),
  235. KUNIT_CASE(test_range2_rand15),
  236. KUNIT_CASE(test_range2_rand16),
  237. {}
  238. /* clang-format on */
  239. };
  240. static struct kunit_suite test_suite = {
  241. .name = "landlock_id",
  242. .test_cases = test_cases,
  243. };
  244. kunit_test_init_section_suite(test_suite);
  245. #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */