1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Landlock - Unique identification number generator
4 *
5 * Copyright © 2024-2025 Microsoft Corporation
6 */
7
8 #include <kunit/test.h>
9 #include <linux/atomic.h>
10 #include <linux/bitops.h>
11 #include <linux/random.h>
12 #include <linux/spinlock.h>
13
14 #include "common.h"
15 #include "id.h"
16
17 #define COUNTER_PRE_INIT 0
18
19 static atomic64_t next_id = ATOMIC64_INIT(COUNTER_PRE_INIT);
20
init_id(atomic64_t * const counter,const u32 random_32bits)21 static void __init init_id(atomic64_t *const counter, const u32 random_32bits)
22 {
23 u64 init;
24
25 /*
26 * Ensures sure 64-bit values are always used by user space (or may
27 * fail with -EOVERFLOW), and makes this testable.
28 */
29 init = BIT_ULL(32);
30
31 /*
32 * Makes a large (2^32) boot-time value to limit ID collision in logs
33 * from different boots, and to limit info leak about the number of
34 * initially (relative to the reader) created elements (e.g. domains).
35 */
36 init += random_32bits;
37
38 /* Sets first or ignores. This will be the first ID. */
39 atomic64_cmpxchg(counter, COUNTER_PRE_INIT, init);
40 }
41
42 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
43
test_init_min(struct kunit * const test)44 static void __init test_init_min(struct kunit *const test)
45 {
46 atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);
47
48 init_id(&counter, 0);
49 KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1ULL + U32_MAX);
50 }
51
test_init_max(struct kunit * const test)52 static void __init test_init_max(struct kunit *const test)
53 {
54 atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);
55
56 init_id(&counter, ~0);
57 KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1 + (2ULL * U32_MAX));
58 }
59
test_init_once(struct kunit * const test)60 static void __init test_init_once(struct kunit *const test)
61 {
62 const u64 first_init = 1ULL + U32_MAX;
63 atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);
64
65 init_id(&counter, 0);
66 KUNIT_EXPECT_EQ(test, atomic64_read(&counter), first_init);
67
68 init_id(&counter, ~0);
69 KUNIT_EXPECT_EQ_MSG(
70 test, atomic64_read(&counter), first_init,
71 "Should still have the same value after the subsequent init_id()");
72 }
73
74 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
75
landlock_init_id(void)76 void __init landlock_init_id(void)
77 {
78 return init_id(&next_id, get_random_u32());
79 }
80
81 /*
82 * It's not worth it to try to hide the monotonic counter because it can still
83 * be inferred (with N counter ranges), and if we are allowed to read the inode
84 * number we should also be allowed to read the time creation anyway, and it
85 * can be handy to store and sort domain IDs for user space.
86 *
87 * Returns the value of next_id and increment it to let some space for the next
88 * one.
89 */
get_id_range(size_t number_of_ids,atomic64_t * const counter,u8 random_4bits)90 static u64 get_id_range(size_t number_of_ids, atomic64_t *const counter,
91 u8 random_4bits)
92 {
93 u64 id, step;
94
95 /*
96 * We should return at least 1 ID, and we may need a set of consecutive
97 * ones (e.g. to generate a set of inodes).
98 */
99 if (WARN_ON_ONCE(number_of_ids <= 0))
100 number_of_ids = 1;
101
102 /*
103 * Blurs the next ID guess with 1/16 ratio. We get 2^(64 - 4) -
104 * (2 * 2^32), so a bit less than 2^60 available IDs, which should be
105 * much more than enough considering the number of CPU cycles required
106 * to get a new ID (e.g. a full landlock_restrict_self() call), and the
107 * cost of draining all available IDs during the system's uptime.
108 */
109 random_4bits &= 0b1111;
110 step = number_of_ids + random_4bits;
111
112 /* It is safe to cast a signed atomic to an unsigned value. */
113 id = atomic64_fetch_add(step, counter);
114
115 /* Warns if landlock_init_id() was not called. */
116 WARN_ON_ONCE(id == COUNTER_PRE_INIT);
117 return id;
118 }
119
120 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
121
get_random_u8_positive(void)122 static u8 get_random_u8_positive(void)
123 {
124 /* max() evaluates its arguments once. */
125 return max(1, get_random_u8());
126 }
127
test_range1_rand0(struct kunit * const test)128 static void test_range1_rand0(struct kunit *const test)
129 {
130 atomic64_t counter;
131 u64 init;
132
133 init = get_random_u32();
134 atomic64_set(&counter, init);
135 KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 0), init);
136 KUNIT_EXPECT_EQ(test,
137 get_id_range(get_random_u8_positive(), &counter,
138 get_random_u8()),
139 init + 1);
140 }
141
test_range1_rand1(struct kunit * const test)142 static void test_range1_rand1(struct kunit *const test)
143 {
144 atomic64_t counter;
145 u64 init;
146
147 init = get_random_u32();
148 atomic64_set(&counter, init);
149 KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 1), init);
150 KUNIT_EXPECT_EQ(test,
151 get_id_range(get_random_u8_positive(), &counter,
152 get_random_u8()),
153 init + 2);
154 }
155
test_range1_rand15(struct kunit * const test)156 static void test_range1_rand15(struct kunit *const test)
157 {
158 atomic64_t counter;
159 u64 init;
160
161 init = get_random_u32();
162 atomic64_set(&counter, init);
163 KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 15), init);
164 KUNIT_EXPECT_EQ(test,
165 get_id_range(get_random_u8_positive(), &counter,
166 get_random_u8()),
167 init + 16);
168 }
169
test_range1_rand16(struct kunit * const test)170 static void test_range1_rand16(struct kunit *const test)
171 {
172 atomic64_t counter;
173 u64 init;
174
175 init = get_random_u32();
176 atomic64_set(&counter, init);
177 KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 16), init);
178 KUNIT_EXPECT_EQ(test,
179 get_id_range(get_random_u8_positive(), &counter,
180 get_random_u8()),
181 init + 1);
182 }
183
test_range2_rand0(struct kunit * const test)184 static void test_range2_rand0(struct kunit *const test)
185 {
186 atomic64_t counter;
187 u64 init;
188
189 init = get_random_u32();
190 atomic64_set(&counter, init);
191 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 0), init);
192 KUNIT_EXPECT_EQ(test,
193 get_id_range(get_random_u8_positive(), &counter,
194 get_random_u8()),
195 init + 2);
196 }
197
test_range2_rand1(struct kunit * const test)198 static void test_range2_rand1(struct kunit *const test)
199 {
200 atomic64_t counter;
201 u64 init;
202
203 init = get_random_u32();
204 atomic64_set(&counter, init);
205 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 1), init);
206 KUNIT_EXPECT_EQ(test,
207 get_id_range(get_random_u8_positive(), &counter,
208 get_random_u8()),
209 init + 3);
210 }
211
test_range2_rand2(struct kunit * const test)212 static void test_range2_rand2(struct kunit *const test)
213 {
214 atomic64_t counter;
215 u64 init;
216
217 init = get_random_u32();
218 atomic64_set(&counter, init);
219 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 2), init);
220 KUNIT_EXPECT_EQ(test,
221 get_id_range(get_random_u8_positive(), &counter,
222 get_random_u8()),
223 init + 4);
224 }
225
test_range2_rand15(struct kunit * const test)226 static void test_range2_rand15(struct kunit *const test)
227 {
228 atomic64_t counter;
229 u64 init;
230
231 init = get_random_u32();
232 atomic64_set(&counter, init);
233 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 15), init);
234 KUNIT_EXPECT_EQ(test,
235 get_id_range(get_random_u8_positive(), &counter,
236 get_random_u8()),
237 init + 17);
238 }
239
test_range2_rand16(struct kunit * const test)240 static void test_range2_rand16(struct kunit *const test)
241 {
242 atomic64_t counter;
243 u64 init;
244
245 init = get_random_u32();
246 atomic64_set(&counter, init);
247 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 16), init);
248 KUNIT_EXPECT_EQ(test,
249 get_id_range(get_random_u8_positive(), &counter,
250 get_random_u8()),
251 init + 2);
252 }
253
254 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
255
256 /**
257 * landlock_get_id_range - Get a range of unique IDs
258 *
259 * @number_of_ids: Number of IDs to hold. Must be greater than one.
260 *
261 * Returns: The first ID in the range.
262 */
landlock_get_id_range(size_t number_of_ids)263 u64 landlock_get_id_range(size_t number_of_ids)
264 {
265 return get_id_range(number_of_ids, &next_id, get_random_u8());
266 }
267
268 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST
269
270 static struct kunit_case __refdata test_cases[] = {
271 /* clang-format off */
272 KUNIT_CASE(test_init_min),
273 KUNIT_CASE(test_init_max),
274 KUNIT_CASE(test_init_once),
275 KUNIT_CASE(test_range1_rand0),
276 KUNIT_CASE(test_range1_rand1),
277 KUNIT_CASE(test_range1_rand15),
278 KUNIT_CASE(test_range1_rand16),
279 KUNIT_CASE(test_range2_rand0),
280 KUNIT_CASE(test_range2_rand1),
281 KUNIT_CASE(test_range2_rand2),
282 KUNIT_CASE(test_range2_rand15),
283 KUNIT_CASE(test_range2_rand16),
284 {}
285 /* clang-format on */
286 };
287
288 static struct kunit_suite test_suite = {
289 .name = "landlock_id",
290 .test_cases = test_cases,
291 };
292
293 kunit_test_init_section_suite(test_suite);
294
295 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */
296