[PATCH] Add getrandom syscall wrapper function

[PATCH] Add getrandom syscall wrapper function

[Hauke Mehrtens]

This syscall is available since Linux 3.17 and was also implemented in
glibc in version 2.25. This is a pure syscall wrapper liker glibc does
it.
---
 include/sys/random.h  | 19 +++++++++++++++++++
 src/linux/getrandom.c | 11 +++++++++++
 2 files changed, 30 insertions(+)
 create mode 100644 include/sys/random.h
 create mode 100644 src/linux/getrandom.c

diff --git a/include/sys/random.h b/include/sys/random.h
new file mode 100644
index 00000000..5540f877
--- /dev/null
+++ b/include/sys/random.h
@@ -0,0 +1,19 @@
+#ifndef _SYS_RANDOM_H
+#define _SYS_RANDOM_H
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#define __NEED_size_t
+#define __NEED_ssize_t
+#include <bits/alltypes.h>
+
+#define GRND_NONBLOCK	0x0001
+#define GRND_RANDOM	0x0002
+
+ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);
+
+#ifdef __cplusplus
+}
+#endif
+#endif
diff --git a/src/linux/getrandom.c b/src/linux/getrandom.c
new file mode 100644
index 00000000..50b07df9
--- /dev/null
+++ b/src/linux/getrandom.c
@@ -0,0 +1,11 @@
+#include <sys/random.h>
+#include "syscall.h"
+
+ssize_t getrandom(void *buf, size_t buflen, unsigned int flags)
+{
+#ifdef SYS_getrandom
+	return syscall_cp(SYS_getrandom, buf, buflen, flags);
+#else
+	return __syscall_ret(-ENOSYS);
+#endif
+}
-- 
2.11.0

Re: [PATCH] Add getrandom syscall wrapper function

[Rich Felker]

On Mon, Jan 01, 2018 at 09:31:23PM +0100, Hauke Mehrtens wrote:
> This syscall is available since Linux 3.17 and was also implemented in
> glibc in version 2.25. This is a pure syscall wrapper liker glibc does
> it.
> ---
>  include/sys/random.h  | 19 +++++++++++++++++++
>  src/linux/getrandom.c | 11 +++++++++++
>  2 files changed, 30 insertions(+)
>  create mode 100644 include/sys/random.h
>  create mode 100644 src/linux/getrandom.c
> 
> diff --git a/include/sys/random.h b/include/sys/random.h
> new file mode 100644
> index 00000000..5540f877
> --- /dev/null
> +++ b/include/sys/random.h
> @@ -0,0 +1,19 @@
> +#ifndef _SYS_RANDOM_H
> +#define _SYS_RANDOM_H
> +#ifdef __cplusplus
> +extern "C" {
> +#endif
> +
> +#define __NEED_size_t
> +#define __NEED_ssize_t
> +#include <bits/alltypes.h>
> +
> +#define GRND_NONBLOCK	0x0001
> +#define GRND_RANDOM	0x0002
> +
> +ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);
> +
> +#ifdef __cplusplus
> +}
> +#endif
> +#endif
> diff --git a/src/linux/getrandom.c b/src/linux/getrandom.c
> new file mode 100644
> index 00000000..50b07df9
> --- /dev/null
> +++ b/src/linux/getrandom.c
> @@ -0,0 +1,11 @@
> +#include <sys/random.h>
> +#include "syscall.h"
> +
> +ssize_t getrandom(void *buf, size_t buflen, unsigned int flags)
> +{
> +#ifdef SYS_getrandom
> +	return syscall_cp(SYS_getrandom, buf, buflen, flags);
> +#else
> +	return __syscall_ret(-ENOSYS);
> +#endif
> +}
> -- 
> 2.11.0

The #ifdef doesn't make sense; if the definition is missing then it's
a bug in musl source.

Aside from that I think the patch is okay but I'm not sure it's
complete. There should probably also be getentropy(), and we've
discussed in the past but never reached any conclusion on whether
there should be a fallback when the syscall doesn't exist (running on
old kernel).

Rich

Re: [PATCH] Add getrandom syscall wrapper function

[Hauke Mehrtens]

On 01/01/2018 09:47 PM, Rich Felker wrote:
> On Mon, Jan 01, 2018 at 09:31:23PM +0100, Hauke Mehrtens wrote:
>> This syscall is available since Linux 3.17 and was also implemented in
>> glibc in version 2.25. This is a pure syscall wrapper liker glibc does
>> it.
>> ---
>>  include/sys/random.h  | 19 +++++++++++++++++++
>>  src/linux/getrandom.c | 11 +++++++++++
>>  2 files changed, 30 insertions(+)
>>  create mode 100644 include/sys/random.h
>>  create mode 100644 src/linux/getrandom.c
>>
>> diff --git a/include/sys/random.h b/include/sys/random.h
>> new file mode 100644
>> index 00000000..5540f877
>> --- /dev/null
>> +++ b/include/sys/random.h
>> @@ -0,0 +1,19 @@
>> +#ifndef _SYS_RANDOM_H
>> +#define _SYS_RANDOM_H
>> +#ifdef __cplusplus
>> +extern "C" {
>> +#endif
>> +
>> +#define __NEED_size_t
>> +#define __NEED_ssize_t
>> +#include <bits/alltypes.h>
>> +
>> +#define GRND_NONBLOCK	0x0001
>> +#define GRND_RANDOM	0x0002
>> +
>> +ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);
>> +
>> +#ifdef __cplusplus
>> +}
>> +#endif
>> +#endif
>> diff --git a/src/linux/getrandom.c b/src/linux/getrandom.c
>> new file mode 100644
>> index 00000000..50b07df9
>> --- /dev/null
>> +++ b/src/linux/getrandom.c
>> @@ -0,0 +1,11 @@
>> +#include <sys/random.h>
>> +#include "syscall.h"
>> +
>> +ssize_t getrandom(void *buf, size_t buflen, unsigned int flags)
>> +{
>> +#ifdef SYS_getrandom
>> +	return syscall_cp(SYS_getrandom, buf, buflen, flags);
>> +#else
>> +	return __syscall_ret(-ENOSYS);
>> +#endif
>> +}
>> -- 
>> 2.11.0
> 
> The #ifdef doesn't make sense; if the definition is missing then it's
> a bug in musl source.

Ok, If I can assume that SYS_getrandom is always defined I will remove this.

> Aside from that I think the patch is okay but I'm not sure it's
> complete. There should probably also be getentropy(),

Adding getentropy() should not be so hard, I can do that.

> and we've
> discussed in the past but never reached any conclusion on whether
> there should be a fallback when the syscall doesn't exist (running on
> old kernel).

glibc does not have a fallback for this syscall there was a long
discussion about this, see here: https://lwn.net/Articles/711013/
As they never found a good solution for their fallback. I think musl
should also not provide a fallback.

This is the glibc implementation:
https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=92dcaa3e2f7bf0f7f1c04cd2fb6a317df1a4e225

Hauke

Re: [PATCH] Add getrandom syscall wrapper function

[Rich Felker]

On Mon, Jan 01, 2018 at 10:51:34PM +0100, Hauke Mehrtens wrote:
> On 01/01/2018 09:47 PM, Rich Felker wrote:
> > On Mon, Jan 01, 2018 at 09:31:23PM +0100, Hauke Mehrtens wrote:
> >> This syscall is available since Linux 3.17 and was also implemented in
> >> glibc in version 2.25. This is a pure syscall wrapper liker glibc does
> >> it.
> >> ---
> >>  include/sys/random.h  | 19 +++++++++++++++++++
> >>  src/linux/getrandom.c | 11 +++++++++++
> >>  2 files changed, 30 insertions(+)
> >>  create mode 100644 include/sys/random.h
> >>  create mode 100644 src/linux/getrandom.c
> >>
> >> diff --git a/include/sys/random.h b/include/sys/random.h
> >> new file mode 100644
> >> index 00000000..5540f877
> >> --- /dev/null
> >> +++ b/include/sys/random.h
> >> @@ -0,0 +1,19 @@
> >> +#ifndef _SYS_RANDOM_H
> >> +#define _SYS_RANDOM_H
> >> +#ifdef __cplusplus
> >> +extern "C" {
> >> +#endif
> >> +
> >> +#define __NEED_size_t
> >> +#define __NEED_ssize_t
> >> +#include <bits/alltypes.h>
> >> +
> >> +#define GRND_NONBLOCK	0x0001
> >> +#define GRND_RANDOM	0x0002
> >> +
> >> +ssize_t getrandom(void *buf, size_t buflen, unsigned int flags);
> >> +
> >> +#ifdef __cplusplus
> >> +}
> >> +#endif
> >> +#endif
> >> diff --git a/src/linux/getrandom.c b/src/linux/getrandom.c
> >> new file mode 100644
> >> index 00000000..50b07df9
> >> --- /dev/null
> >> +++ b/src/linux/getrandom.c
> >> @@ -0,0 +1,11 @@
> >> +#include <sys/random.h>
> >> +#include "syscall.h"
> >> +
> >> +ssize_t getrandom(void *buf, size_t buflen, unsigned int flags)
> >> +{
> >> +#ifdef SYS_getrandom
> >> +	return syscall_cp(SYS_getrandom, buf, buflen, flags);
> >> +#else
> >> +	return __syscall_ret(-ENOSYS);
> >> +#endif
> >> +}
> >> -- 
> >> 2.11.0
> > 
> > The #ifdef doesn't make sense; if the definition is missing then it's
> > a bug in musl source.
> 
> Ok, If I can assume that SYS_getrandom is always defined I will remove this.
> 
> > Aside from that I think the patch is okay but I'm not sure it's
> > complete. There should probably also be getentropy(),
> 
> Adding getentropy() should not be so hard, I can do that.
> 
> > and we've
> > discussed in the past but never reached any conclusion on whether
> > there should be a fallback when the syscall doesn't exist (running on
> > old kernel).
> 
> glibc does not have a fallback for this syscall there was a long
> discussion about this, see here: https://lwn.net/Articles/711013/
> As they never found a good solution for their fallback. I think musl
> should also not provide a fallback.
> 
> This is the glibc implementation:
> https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=92dcaa3e2f7bf0f7f1c04cd2fb6a317df1a4e225

I think we can add it for now with no fallback to unblock things
waiting on it, and also consider adding fallback. If/when we add
arc4random/posix_random, we will have a perfectly reasonable backend
we can use in the absence of the syscall. It would initialize its
entropy from AT_RANDOM on kernels that have it and from the legacy
sysctl random source on kernels too old to have AT_RANDOM.

Rich

Re: [PATCH] Add getrandom syscall wrapper function

[Rich Felker]

On Mon, Jan 01, 2018 at 05:03:54PM -0500, Rich Felker wrote:
> > > and we've
> > > discussed in the past but never reached any conclusion on whether
> > > there should be a fallback when the syscall doesn't exist (running on
> > > old kernel).
> > 
> > glibc does not have a fallback for this syscall there was a long
> > discussion about this, see here: https://lwn.net/Articles/711013/
> > As they never found a good solution for their fallback. I think musl
> > should also not provide a fallback.

Interesting that the biggest issue seems to have been about using file
descriptors as the fallback. That's something I never considered using
in musl since we have AT_RANDOM and sysctl on ancient kernels that
lack it. There are a small number of kernels between when sysctl
started spamming syslog with deprecation warnings and when AT_RANDOM
was added but I don't really care about those; it still works anyway.

Rich

Re: [PATCH] Add getrandom syscall wrapper function

[Szabolcs Nagy]

* Rich Felker <dalias@libc.org> [2018-01-01 21:14:03 -0500]:
> > > glibc does not have a fallback for this syscall there was a long
> > > discussion about this, see here: https://lwn.net/Articles/711013/
> > > As they never found a good solution for their fallback. I think musl
> > > should also not provide a fallback.
> 
> Interesting that the biggest issue seems to have been about using file
> descriptors as the fallback. That's something I never considered using
> in musl since we have AT_RANDOM and sysctl on ancient kernels that
> lack it. There are a small number of kernels between when sysctl
> started spamming syslog with deprecation warnings and when AT_RANDOM
> was added but I don't really care about those; it still works anyway.

note that getrandom gives new entropy after fork
but AT_RANDOM is the same.

Re: [PATCH] Add getrandom syscall wrapper function

[Rich Felker]

On Tue, Jan 02, 2018 at 04:27:59PM +0100, Szabolcs Nagy wrote:
> * Rich Felker <dalias@libc.org> [2018-01-01 21:14:03 -0500]:
> > > > glibc does not have a fallback for this syscall there was a long
> > > > discussion about this, see here: https://lwn.net/Articles/711013/
> > > > As they never found a good solution for their fallback. I think musl
> > > > should also not provide a fallback.
> > 
> > Interesting that the biggest issue seems to have been about using file
> > descriptors as the fallback. That's something I never considered using
> > in musl since we have AT_RANDOM and sysctl on ancient kernels that
> > lack it. There are a small number of kernels between when sysctl
> > started spamming syslog with deprecation warnings and when AT_RANDOM
> > was added but I don't really care about those; it still works anyway.
> 
> note that getrandom gives new entropy after fork
> but AT_RANDOM is the same.

The concept of "new entropy" is not meaningful. Yes, a naive
AT_RANDOM-based approach would share state between parent and child in
a program that forks without exec, which would be bad, but the obvious
way you do this is (1) consume AT_RANDOM and overwrite it with the
output of the internal csPRNG so that getauxval(AT_RANDOM) doesn't
leak sensitive state, and (2) step the csPRNG twice at fork, using the
outputs as the new state in the parent and child so that neither can
predict the other's state.

Admittedly such a random number source is not hard against
heartbleed-type attacks, so you probably should still prefer
SYS_getrandom when it's available. On modern systems where people
really care, it will be available anyway.

Rich