Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Potential improvements to use of /dev/random on Linux/Android #451

Closed
2 tasks
briansmith opened this issue Jun 3, 2024 · 6 comments · Fixed by #522
Closed
2 tasks

Potential improvements to use of /dev/random on Linux/Android #451

briansmith opened this issue Jun 3, 2024 · 6 comments · Fixed by #522
Labels
documentation enhancement New feature or request

Comments

@briansmith
Copy link
Contributor

briansmith commented Jun 3, 2024

  • 1. The man page says that Linux returns ENOMEM and never EAGAIN. Since this code is Linux-specific, should we remove the EAGAIN case in the poll loop? Should we replace it with an ENOMEM case?
  • 2. The man page directs the user to note that poll may return "spurious readiness notifications" where poll indicates the file is readable when it actually isn't. Especially in the case of pre-getrandom-syscall-capable Linux versions, are such spurious readiness notifications possible? If so, this would be counter to the goal of polling but not reading /dev/random.
@briansmith
Copy link
Contributor Author

briansmith commented Jun 3, 2024

@briansmith
Copy link
Contributor Author

briansmith commented Jun 3, 2024

  • 4. The above PRs mention a few syscalls that poll() may be mapped to. ppoll_time64 is available from Linux 5.1+. Thus, people may need to update their seccomp filters to work on Linux 5.1. In any case, if we're going to document seccomp compatibliity anywhere then we should mention this in that documentation. [Edit: Addressed in PR Linux/Android: Document /dev/random polling considerations. #452].

@briansmith
Copy link
Contributor Author

briansmith commented Jun 3, 2024

@josephlr josephlr added enhancement New feature or request documentation labels Jun 4, 2024
@briansmith
Copy link
Contributor Author

briansmith commented Jun 4, 2024

@josephlr
Copy link
Member

josephlr commented Jun 4, 2024

  1. See https://github.com/llvm/llvm-project/blob/3b2df5b6ee81cf2685c95728ff1baf795051c926/compiler-rt/include/sanitizer/linux_syscall_hooks.h#L1182-L1185. When sanitizers are enabled, it seems like we should be calling __sanitizer_syscall_pre_impl_poll and __sanitizer_syscall_post_impl_poll?

It seems like they also have methods in there for read, open, and close. I'm wondering if sanitizers being enabled just requires using a libc that has been modified to make those particular calls

@newpavlov
Copy link
Member

newpavlov commented Oct 16, 2024

I don't think we should spend too much effort on the fallback path trying to handle every possible edge case. This path is quite rare in practice and becomes even rarer with every passing day. The current code works fine and we do not have any complains from users.

  1. The man page says that Linux returns ENOMEM and never EAGAIN. Since this code is Linux-specific, should we remove the EAGAIN case in the poll loop? Should we replace it with an ENOMEM case?

Removal of the EAGAIN check sounds reasonable. I am not sure we can reasonably handle ENOMEM, so we probably should just return it.

  1. The man page directs the user to note that poll may return "spurious readiness notifications" where poll indicates the file is readable when it actually isn't.

IIUC it mostly happens with network devices. The select(2) man page (to which poll docs refer) states the following:

This could for example happen when data has arrived but upon examination has the wrong checksum and is discarded.

There is also a caveat about "other circumstances", but I couldn't find anything that applies to "virtual" files like /dev/random. We could replace the polling code with one byte read, but I think we can just ignore "spurious readiness" in our case. Especially considering that other libraries apparently do the same.

  1. https://doc.libsodium.org/usage#sodium_init-stalling-on-linux notes that even on pretty new Linux kernels, in certain environments that seems actually increasingly important, blocking on /dev/random becoming readable will stall an application. We might want to provide similar guidance.

I think this is already sufficiently addressed in the "early boot" section.

  1. When sanitizers are enabled, it seems like we should be calling __sanitizer_syscall_pre_impl_poll and __sanitizer_syscall_post_impl_poll?

I think we should just move responsibility for this to libc.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
documentation enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants