From: "Mickaël Salaün" <mic@digikod.net>
To: "Günther Noack" <gnoack3000@gmail.com>
Cc: "Eric Paris" <eparis@redhat.com>,
"Paul Moore" <paul@paul-moore.com>,
"Günther Noack" <gnoack@google.com>,
"Serge E . Hallyn" <serge@hallyn.com>,
"Ben Scarlato" <akhna@google.com>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Charles Zaffery" <czaffery@roblox.com>,
"Daniel Burgener" <dburgener@linux.microsoft.com>,
"Francis Laniel" <flaniel@linux.microsoft.com>,
"James Morris" <jmorris@namei.org>,
"Jann Horn" <jannh@google.com>, "Jeff Xu" <jeffxu@google.com>,
"Jorge Lucangeli Obes" <jorgelo@google.com>,
"Kees Cook" <kees@kernel.org>,
"Konstantin Meskhidze" <konstantin.meskhidze@huawei.com>,
"Matt Bobrowski" <mattbobrowski@google.com>,
"Mikhail Ivanov" <ivanov.mikhail1@huawei-partners.com>,
"Phil Sutter" <phil@nwl.cc>,
"Praveen K Paladugu" <prapal@linux.microsoft.com>,
"Robert Salvet" <robert.salvet@roblox.com>,
"Shervin Oloumi" <enlightened@google.com>,
"Song Liu" <song@kernel.org>,
"Tahera Fahimi" <fahimitahera@gmail.com>,
"Tyler Hicks" <code@tyhicks.com>,
audit@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH v5 02/24] landlock: Add unique ID generator
Date: Sat, 8 Mar 2025 19:40:18 +0100 [thread overview]
Message-ID: <20250308.moo2siethohX@digikod.net> (raw)
In-Reply-To: <20250307.db38587e80e7@gnoack.org>
On Fri, Mar 07, 2025 at 03:15:44PM +0100, Günther Noack wrote:
> On Fri, Jan 31, 2025 at 05:30:37PM +0100, Mickaël Salaün wrote:
> > --- /dev/null
> > +++ b/security/landlock/id.c
> > +static atomic64_t next_id = ATOMIC64_INIT(COUNTER_PRE_INIT);
> > +
> > +static void __init init_id(atomic64_t *const counter, const u32 random_32bits)
> > +{
> > + u64 init;
> > +
> > + /*
> > + * Ensures sure 64-bit values are always used by user space (or may
> > + * fail with -EOVERFLOW), and makes this testable.
> > + */
> > + init = 1ULL << 32;
> > +
> > + /*
> > + * Makes a large (2^32) boot-time value to limit ID collision in logs
> > + * from different boots, and to limit info leak about the number of
> > + * initially (relative to the reader) created elements (e.g. domains).
> > + */
> > + init += random_32bits;
> > +
> > + /* Sets first or ignores. This will be the first ID. */
> > + atomic64_cmpxchg(counter, COUNTER_PRE_INIT, init);
>
> It feels like this should always need to succeed. Or to say it the
> other way around: If this cmpxchg were to fail, the guarantees from
> your commit message would be broken. Maybe it would be worth handling
> that error case in a more direct way?
This should always succeed and with the current code it always succeed
because there is only one call to this function. This
atomic64_cmpxchg() is a safeguard to be sure that, even if there are
several calls to this function, the counter will only be initialized
once (i.e. cmpxchg only sets the counter if its value was 0)
We could add a WARN_ON(atomic64_cmpxchg()) but I don't see the point.
>
>
> > +static void __init test_init_once(struct kunit *const test)
> > +{
> > + const u64 first_init = 1ULL + U32_MAX;
> > + atomic64_t counter = ATOMIC64_INIT(COUNTER_PRE_INIT);
> > +
> > + init_id(&counter, 0);
> > + KUNIT_EXPECT_EQ(test, atomic64_read(&counter), first_init);
> > +
> > + init_id(&counter, ~0);
> > + KUNIT_EXPECT_EQ(test, atomic64_read(&counter), first_init);
>
> Maybe we can annotate this with an explanatory message,
> to make it slightly clearer that this is the point of the test:
>
> KUNIT_EXPECT_EQ_MSG(test, atomic64_read(&counter), first_init,
> "should still have the same value after the subsequent init_id()");
Yep, good idea.
>
> –Günther
>
next prev parent reply other threads:[~2025-03-08 18:40 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-31 16:30 [PATCH v5 00/24] Landlock audit support Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 01/24] lsm: Add audit_log_lsm_data() helper Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 02/24] landlock: Add unique ID generator Mickaël Salaün
2025-03-07 14:15 ` Günther Noack
2025-03-08 18:40 ` Mickaël Salaün [this message]
2025-01-31 16:30 ` [PATCH v5 03/24] landlock: Move domain hierarchy management Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 04/24] landlock: Prepare to use credential instead of domain for filesystem Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 05/24] landlock: Prepare to use credential instead of domain for network Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 06/24] landlock: Prepare to use credential instead of domain for scope Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 07/24] landlock: Prepare to use credential instead of domain for fowner Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 08/24] landlock: Identify domain execution crossing Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 09/24] landlock: Add AUDIT_LANDLOCK_ACCESS and log ptrace denials Mickaël Salaün
2025-02-14 22:52 ` [PATCH v5 9/24] " Paul Moore
2025-02-18 19:19 ` Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 10/24] landlock: Add AUDIT_LANDLOCK_DOMAIN and log domain status Mickaël Salaün
2025-02-14 22:52 ` Paul Moore
2025-02-18 19:21 ` Mickaël Salaün
2025-02-26 23:41 ` Paul Moore
2025-01-31 16:30 ` [PATCH v5 11/24] landlock: Log mount-related denials Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 12/24] landlock: Log file-related denials Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 13/24] landlock: Log truncate and IOCTL denials Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 14/24] landlock: Log TCP bind and connect denials Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 15/24] landlock: Log scoped denials Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 16/24] landlock: Add LANDLOCK_RESTRICT_SELF_QUIET Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 17/24] landlock: Add LANDLOCK_RESTRICT_SELF_QUIET_SUBDOMAINS Mickaël Salaün
2025-01-31 20:28 ` kernel test robot
2025-01-31 16:30 ` [PATCH v5 18/24] landlock: Add LANDLOCK_RESTRICT_SELF_LOG_CROSS_EXEC Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 19/24] samples/landlock: Enable users to log sandbox denials Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 20/24] selftests/landlock: Extend tests for landlock_restrict_self()'s flags Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 21/24] selftests/landlock: Add tests for audit and LANDLOCK_RESTRICT_SELF_QUIET Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 22/24] selftests/landlock: Test audit with restrict flags Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 23/24] selftests/landlock: Add audit tests for ptrace Mickaël Salaün
2025-01-31 16:30 ` [PATCH v5 24/24] landlock: Add audit documentation Mickaël Salaün
2025-02-22 19:47 ` [PATCH v5 00/24] Landlock audit support Günther Noack
2025-02-25 19:51 ` Mickaël Salaün
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250308.moo2siethohX@digikod.net \
--to=mic@digikod.net \
--cc=akhna@google.com \
--cc=audit@vger.kernel.org \
--cc=casey@schaufler-ca.com \
--cc=code@tyhicks.com \
--cc=czaffery@roblox.com \
--cc=dburgener@linux.microsoft.com \
--cc=enlightened@google.com \
--cc=eparis@redhat.com \
--cc=fahimitahera@gmail.com \
--cc=flaniel@linux.microsoft.com \
--cc=gnoack3000@gmail.com \
--cc=gnoack@google.com \
--cc=ivanov.mikhail1@huawei-partners.com \
--cc=jannh@google.com \
--cc=jeffxu@google.com \
--cc=jmorris@namei.org \
--cc=jorgelo@google.com \
--cc=kees@kernel.org \
--cc=konstantin.meskhidze@huawei.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mattbobrowski@google.com \
--cc=paul@paul-moore.com \
--cc=phil@nwl.cc \
--cc=prapal@linux.microsoft.com \
--cc=robert.salvet@roblox.com \
--cc=serge@hallyn.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox