1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Landlock - Unique identification number generator 4 * 5 * Copyright © 2024-2025 Microsoft Corporation 6 */ 7 8 #include <kunit/test.h> 9 #include <linux/atomic.h> 10 #include <linux/bitops.h> 11 #include <linux/random.h> 12 #include <linux/spinlock.h> 13 14 #include "common.h" 15 #include "id.h" 16 17 #define COUNTER_PRE_INIT 0 18 19 static atomic64_t next_id = ATOMIC64_INIT(COUNTER_PRE_INIT); 20 21 static void __init init_id(atomic64_t *const counter, const u32 random_32bits) 22 { 23 u64 init; 24 25 /* 26 * Ensures sure 64-bit values are always used by user space (or may 27 * fail with -EOVERFLOW), and makes this testable. 28 */ 29 init = BIT_ULL(32); 30 31 /* 32 * Makes a large (2^32) boot-time value to limit ID collision in logs 33 * from different boots, and to limit info leak about the number of 34 * initially (relative to the reader) created elements (e.g. domains). 35 */ 36 init += random_32bits; 37 38 /* Sets first or ignores. This will be the first ID. */ 39 atomic64_cmpxchg(counter, COUNTER_PRE_INIT, init); 40 } 41 42 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 43 44 static void __init test_init_min(struct kunit *const test) 45 { 46 atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT); 47 48 init_id(&counter, 0); 49 KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1ULL + U32_MAX); 50 } 51 52 static void __init test_init_max(struct kunit *const test) 53 { 54 atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT); 55 56 init_id(&counter, ~0); 57 KUNIT_EXPECT_EQ(test, atomic64_read(&counter), 1 + (2ULL * U32_MAX)); 58 } 59 60 static void __init test_init_once(struct kunit *const test) 61 { 62 const u64 first_init = 1ULL + U32_MAX; 63 atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT); 64 65 init_id(&counter, 0); 66 KUNIT_EXPECT_EQ(test, atomic64_read(&counter), first_init); 67 68 init_id(&counter, ~0); 69 KUNIT_EXPECT_EQ_MSG( 70 test, atomic64_read(&counter), first_init, 71 "Should still have the same value after the subsequent init_id()"); 72 } 73 74 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 75 76 void __init landlock_init_id(void) 77 { 78 return init_id(&next_id, get_random_u32()); 79 } 80 81 /* 82 * It's not worth it to try to hide the monotonic counter because it can still 83 * be inferred (with N counter ranges), and if we are allowed to read the inode 84 * number we should also be allowed to read the time creation anyway, and it 85 * can be handy to store and sort domain IDs for user space. 86 * 87 * Returns the value of next_id and increment it to let some space for the next 88 * one. 89 */ 90 static u64 get_id_range(size_t number_of_ids, atomic64_t *const counter, 91 u8 random_4bits) 92 { 93 u64 id, step; 94 95 /* 96 * We should return at least 1 ID, and we may need a set of consecutive 97 * ones (e.g. to generate a set of inodes). 98 */ 99 if (WARN_ON_ONCE(number_of_ids <= 0)) 100 number_of_ids = 1; 101 102 /* 103 * Blurs the next ID guess with 1/16 ratio. We get 2^(64 - 4) - 104 * (2 * 2^32), so a bit less than 2^60 available IDs, which should be 105 * much more than enough considering the number of CPU cycles required 106 * to get a new ID (e.g. a full landlock_restrict_self() call), and the 107 * cost of draining all available IDs during the system's uptime. 108 */ 109 random_4bits &= 0b1111; 110 step = number_of_ids + random_4bits; 111 112 /* It is safe to cast a signed atomic to an unsigned value. */ 113 id = atomic64_fetch_add(step, counter); 114 115 /* Warns if landlock_init_id() was not called. */ 116 WARN_ON_ONCE(id == COUNTER_PRE_INIT); 117 return id; 118 } 119 120 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 121 122 static u8 get_random_u8_positive(void) 123 { 124 /* max() evaluates its arguments once. */ 125 return max(1, get_random_u8()); 126 } 127 128 static void test_range1_rand0(struct kunit *const test) 129 { 130 atomic64_t counter; 131 u64 init; 132 133 init = get_random_u32(); 134 atomic64_set(&counter, init); 135 KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 0), init); 136 KUNIT_EXPECT_EQ(test, 137 get_id_range(get_random_u8_positive(), &counter, 138 get_random_u8()), 139 init + 1); 140 } 141 142 static void test_range1_rand1(struct kunit *const test) 143 { 144 atomic64_t counter; 145 u64 init; 146 147 init = get_random_u32(); 148 atomic64_set(&counter, init); 149 KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 1), init); 150 KUNIT_EXPECT_EQ(test, 151 get_id_range(get_random_u8_positive(), &counter, 152 get_random_u8()), 153 init + 2); 154 } 155 156 static void test_range1_rand15(struct kunit *const test) 157 { 158 atomic64_t counter; 159 u64 init; 160 161 init = get_random_u32(); 162 atomic64_set(&counter, init); 163 KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 15), init); 164 KUNIT_EXPECT_EQ(test, 165 get_id_range(get_random_u8_positive(), &counter, 166 get_random_u8()), 167 init + 16); 168 } 169 170 static void test_range1_rand16(struct kunit *const test) 171 { 172 atomic64_t counter; 173 u64 init; 174 175 init = get_random_u32(); 176 atomic64_set(&counter, init); 177 KUNIT_EXPECT_EQ(test, get_id_range(1, &counter, 16), init); 178 KUNIT_EXPECT_EQ(test, 179 get_id_range(get_random_u8_positive(), &counter, 180 get_random_u8()), 181 init + 1); 182 } 183 184 static void test_range2_rand0(struct kunit *const test) 185 { 186 atomic64_t counter; 187 u64 init; 188 189 init = get_random_u32(); 190 atomic64_set(&counter, init); 191 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 0), init); 192 KUNIT_EXPECT_EQ(test, 193 get_id_range(get_random_u8_positive(), &counter, 194 get_random_u8()), 195 init + 2); 196 } 197 198 static void test_range2_rand1(struct kunit *const test) 199 { 200 atomic64_t counter; 201 u64 init; 202 203 init = get_random_u32(); 204 atomic64_set(&counter, init); 205 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 1), init); 206 KUNIT_EXPECT_EQ(test, 207 get_id_range(get_random_u8_positive(), &counter, 208 get_random_u8()), 209 init + 3); 210 } 211 212 static void test_range2_rand2(struct kunit *const test) 213 { 214 atomic64_t counter; 215 u64 init; 216 217 init = get_random_u32(); 218 atomic64_set(&counter, init); 219 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 2), init); 220 KUNIT_EXPECT_EQ(test, 221 get_id_range(get_random_u8_positive(), &counter, 222 get_random_u8()), 223 init + 4); 224 } 225 226 static void test_range2_rand15(struct kunit *const test) 227 { 228 atomic64_t counter; 229 u64 init; 230 231 init = get_random_u32(); 232 atomic64_set(&counter, init); 233 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 15), init); 234 KUNIT_EXPECT_EQ(test, 235 get_id_range(get_random_u8_positive(), &counter, 236 get_random_u8()), 237 init + 17); 238 } 239 240 static void test_range2_rand16(struct kunit *const test) 241 { 242 atomic64_t counter; 243 u64 init; 244 245 init = get_random_u32(); 246 atomic64_set(&counter, init); 247 KUNIT_EXPECT_EQ(test, get_id_range(2, &counter, 16), init); 248 KUNIT_EXPECT_EQ(test, 249 get_id_range(get_random_u8_positive(), &counter, 250 get_random_u8()), 251 init + 2); 252 } 253 254 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 255 256 /** 257 * landlock_get_id_range - Get a range of unique IDs 258 * 259 * @number_of_ids: Number of IDs to hold. Must be greater than one. 260 * 261 * Returns: The first ID in the range. 262 */ 263 u64 landlock_get_id_range(size_t number_of_ids) 264 { 265 return get_id_range(number_of_ids, &next_id, get_random_u8()); 266 } 267 268 #ifdef CONFIG_SECURITY_LANDLOCK_KUNIT_TEST 269 270 static struct kunit_case __refdata test_cases[] = { 271 /* clang-format off */ 272 KUNIT_CASE(test_init_min), 273 KUNIT_CASE(test_init_max), 274 KUNIT_CASE(test_init_once), 275 KUNIT_CASE(test_range1_rand0), 276 KUNIT_CASE(test_range1_rand1), 277 KUNIT_CASE(test_range1_rand15), 278 KUNIT_CASE(test_range1_rand16), 279 KUNIT_CASE(test_range2_rand0), 280 KUNIT_CASE(test_range2_rand1), 281 KUNIT_CASE(test_range2_rand2), 282 KUNIT_CASE(test_range2_rand15), 283 KUNIT_CASE(test_range2_rand16), 284 {} 285 /* clang-format on */ 286 }; 287 288 static struct kunit_suite test_suite = { 289 .name = "landlock_id", 290 .test_cases = test_cases, 291 }; 292 293 kunit_test_init_section_suite(test_suite); 294 295 #endif /* CONFIG_SECURITY_LANDLOCK_KUNIT_TEST */ 296