From 8ede1e86b2cfdbe7bb1e1913a08e068a82d4532c Mon Sep 17 00:00:00 2001
From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 20 Apr 2021 16:08:43 +0200
Subject: [PATCH] loop-util: track CLOCK_MONOTONIC timestamp immediately before
 attaching a loopback device

This is similar to the preceding work to store the uevent seqnum, but
this stores the CLOCK_MONOTONIC timestamp.

Why? This allows to validate udev database entries, to determine if they
were created *after* we attached the device.

The uevent seqnum logic allows us to validate uevent, and the timestamp
database entries, hence together we should be able to validate both
sources of truth for us.

(note that this is all racy, just a bit less racy, since we cannot
atomically attach loopback devices and get the timestamp for it, the
same way we can't get the uevent seqnum. Thus is shortens the race
window, but doesn#t close it).
---
 src/shared/loop-util.c | 16 ++++++++++++++--
 src/shared/loop-util.h |  2 ++
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/src/shared/loop-util.c b/src/shared/loop-util.c
index 3615995de09..c038e7aae6c 100644
--- a/src/shared/loop-util.c
+++ b/src/shared/loop-util.c
@@ -132,12 +132,14 @@ static int loop_configure(
                 int nr,
                 const struct loop_config *c,
                 bool *try_loop_configure,
-                uint64_t *ret_seqnum_not_before) {
+                uint64_t *ret_seqnum_not_before,
+                usec_t *ret_timestamp_not_before) {
 
         _cleanup_(sd_device_unrefp) sd_device *d = NULL;
         _cleanup_free_ char *sysname = NULL;
         _cleanup_close_ int lock_fd = -1;
         uint64_t seqnum;
+        usec_t timestamp;
         int r;
 
         assert(fd >= 0);
@@ -195,6 +197,7 @@ static int loop_configure(
                 r = get_current_uevent_seqnum(&seqnum);
                 if (r < 0)
                         return r;
+                timestamp = now(CLOCK_MONOTONIC);
 
                 if (ioctl(fd, LOOP_CONFIGURE, c) < 0) {
                         /* Do fallback only if LOOP_CONFIGURE is not supported, propagate all other
@@ -255,6 +258,8 @@ static int loop_configure(
 
                         if (ret_seqnum_not_before)
                                 *ret_seqnum_not_before = seqnum;
+                        if (ret_timestamp_not_before)
+                                *ret_timestamp_not_before = timestamp;
 
                         return 0;
                 }
@@ -264,6 +269,7 @@ static int loop_configure(
         r = get_current_uevent_seqnum(&seqnum);
         if (r < 0)
                 return r;
+        timestamp = now(CLOCK_MONOTONIC);
 
         /* Since kernel commit 5db470e229e22b7eda6e23b5566e532c96fb5bc3 (kernel v5.0) the LOOP_SET_STATUS64
          * ioctl can return EAGAIN in case we change the lo_offset field, if someone else is accessing the
@@ -294,6 +300,8 @@ static int loop_configure(
 
         if (ret_seqnum_not_before)
                 *ret_seqnum_not_before = seqnum;
+        if (ret_timestamp_not_before)
+                *ret_timestamp_not_before = timestamp;
 
         return 0;
 
@@ -353,6 +361,7 @@ int loop_device_make(
         struct loop_config config;
         LoopDevice *d = NULL;
         uint64_t seqnum = UINT64_MAX;
+        usec_t timestamp = USEC_INFINITY;
         struct stat st;
         int nr = -1, r;
 
@@ -396,6 +405,7 @@ int loop_device_make(
                                 .relinquished = true, /* It's not allocated by us, don't destroy it when this object is freed */
                                 .devno = st.st_rdev,
                                 .uevent_seqnum_not_before = UINT64_MAX,
+                                .timestamp_not_before = USEC_INFINITY,
                         };
 
                         *ret = d;
@@ -443,7 +453,7 @@ int loop_device_make(
                         if (!IN_SET(errno, ENOENT, ENXIO))
                                 return -errno;
                 } else {
-                        r = loop_configure(loop, nr, &config, &try_loop_configure, &seqnum);
+                        r = loop_configure(loop, nr, &config, &try_loop_configure, &seqnum, &timestamp);
                         if (r >= 0) {
                                 loop_with_fd = TAKE_FD(loop);
                                 break;
@@ -481,6 +491,7 @@ int loop_device_make(
                 .nr = nr,
                 .devno = st.st_rdev,
                 .uevent_seqnum_not_before = seqnum,
+                .timestamp_not_before = timestamp,
         };
 
         *ret = d;
@@ -617,6 +628,7 @@ int loop_device_open(const char *loop_path, int open_flags, LoopDevice **ret) {
                 .relinquished = true, /* It's not ours, don't try to destroy it when this object is freed */
                 .devno = st.st_dev,
                 .uevent_seqnum_not_before = UINT64_MAX,
+                .timestamp_not_before = USEC_INFINITY,
         };
 
         *ret = d;
diff --git a/src/shared/loop-util.h b/src/shared/loop-util.h
index 6df4f91c227..e06dfebb7c6 100644
--- a/src/shared/loop-util.h
+++ b/src/shared/loop-util.h
@@ -2,6 +2,7 @@
 #pragma once
 
 #include "macro.h"
+#include "time-util.h"
 
 typedef struct LoopDevice LoopDevice;
 
@@ -14,6 +15,7 @@ struct LoopDevice {
         char *node;
         bool relinquished;
         uint64_t uevent_seqnum_not_before; /* uevent sequm right before we attached the loopback device, or UINT64_MAX if we don't know */
+        usec_t timestamp_not_before; /* CLOCK_MONOTONIC timestamp taken immediately before attaching the loopback device, or USEC_INFINITY if we don't know */
 };
 
 int loop_device_make(int fd, int open_flags, uint64_t offset, uint64_t size, uint32_t loop_flags, LoopDevice **ret);