[Toybox] getrandom(2)

Rob Landley rob at landley.net
Fri Jul 6 21:40:45 PDT 2018


On 07/06/2018 09:55 PM, enh wrote:
> 
> 
> On Fri, Jul 6, 2018, 18:15 Rob Landley <rob at landley.net
> <mailto:rob at landley.net>> wrote:
> 
>     On 07/06/2018 03:14 PM, enh wrote:
>     > i'm not sure getrandom(2) is a good choice for a compile-time probe.
>     > certainly on Android it's common for your libc to be way ahead of your
>     > kernel.
> 
>     Hmmm. I didn't expect that. (libc provides a syscall wrapper for a syscall your
>     kernel doesn't have. Ok...)
> 
> Isn't musl the same? 

I have a longstanding argument with Rich about fork() being compile-time
probeable on nommu systems. Hence the MUSL_NOMMU_IS_BROKEN entry in Config.in.

The /dev/urandom fallback isn't a bad mitigation. The "this is a nommu system,
it _CAN'T_USE_NORMAL_ELF_BINARIES_, why are you pretending we're going to probe
for behavior differences _AT_RUNTIME_, and then needing to re-exec your own
binary when you forked (because vfork blocks the parent thread) and not being
able to reliably do so (/proc/self/exe isn't necessarily there in a chroot)
although I asked the kernel developers for a new API to make it suck less and I
should really test https://patchwork.kernel.org/patch/9949557/ but then it's
another new kernel api still requiring a fallback for 7 years of legacy support"...

Ahem. Can of worms.

>     Hmmm... I can't compile time probe for what the syscalls return because cross
>     compiling (and potentially deploying on a different kernel), and I don't want to
>     make the fallback code ubiquitous because embedded. Hmmm...
> 
> Why not?

I dislike having code that shouldn't be used built in. (I'm kinda unhappy about
having multiple codepaths do the same thing, having explicit config knobs to
test themand a plan to make one go away eventually mitigates it. You'll note it
took me this long to do it, even though I've known about it since
http://lists.busybox.net/pipermail/busybox/2016-June/084336.html or so.

>     I suppose I could make the fallback code's presence depend on
>     CONFIG_TOYBOX_ANDROID?
> 
>     > in this specific case, on Android getrandom(2) is very likely
>     > to return ENOSYS. for the arc4random functions (from BSD) we'll try
>     > getrandom but fall back to open/read/close. seems like xgetrandom
>     > might be better off doing that, on the assumption that folks will try
>     > to use prebuilts on old devices/hosts?
> 
>     Whereas on glibc I have the exact _opposite_ problem, 'FATAL: kernel too old" in
>     the library loader or entry code, because glibc checks the kernel version and
>     refuses to run on one older than it was built on. (I.E. gnu/dammit anything is
>     insane, part several thousand something.)
> 
> Oh, weird. I didn't know that. My Linux hosts usually have the opposite problem
> of a kernel years newer than their libc. 

Bask in the horror:

https://sourceware.org/git/?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/dl-osinfo.h;h=416ef93c477170569dcf16f5b9e8ab63fd5c3da6;hb=HEAD#l29

> I was actually assuming you'd be best off just removing the compile time check
> and using syscall(3). Wouldn't that be best for your musl prebuilts? And still
> work fine for glibc. 

What I'm thinking is once the system call is 7 years old I can just assume it's
there and remove the probe and the fallback code. The man page says it was added
to the 3.17 kernel which was released October 2014, so a little over 3 years
from now.

It's more that the existence of the CONFIG symbol is likely to remind me to
remove the fallback workaround someday, whereas if I just have it there in
portability.c it's more likely to fall off my todo list. (I see the menuconfig
contents more often.)

If the need for the fallback was _never_ going to go away, I'd probably just
leave it reading from /dev/urandom as the One True Codepath that works
everywhere. "Simple" is a local minima affected by ambient topology. :)

>     Rob

Rob


More information about the Toybox mailing list