From: Xu Kuohai <xukuohai@xxxxxxxxxx>
Add macro LSM_RET_INT to annotate lsm hook return integer type and the
default return value, and the expected return range.
The LSM_RET_INT is declared as:
LSM_RET_INT(defval, min, max)
where
- defval is the default return value
- min and max indicate the expected return range is [min, max]
The return value range for each lsm hook is taken from the description
in security/security.c.
The expanded result of LSM_RET_INT is not changed, and the compiled
product is not changed.
Signed-off-by: Xu Kuohai <xukuohai@xxxxxxxxxx>
---
include/linux/lsm_hook_defs.h | 591 +++++++++++++++++-----------------
include/linux/lsm_hooks.h | 6 -
kernel/bpf/bpf_lsm.c | 10 +
security/security.c | 1 +
4 files changed, 313 insertions(+), 295 deletions(-)
diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
index 334e00efbde4..708f515ffbf3 100644
--- a/include/linux/lsm_hook_defs.h
+++ b/include/linux/lsm_hook_defs.h
@@ -18,435 +18,448 @@
* The macro LSM_HOOK is used to define the data structures required by
* the LSM framework using the pattern:
*
- * LSM_HOOK(<return_type>, <default_value>, <hook_name>, args...)
+ * LSM_HOOK(<return_type>, <return_description>, <hook_name>, args...)
*
* struct security_hook_heads {
- * #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME;
+ * #define LSM_HOOK(RET, RETVAL_DESC, NAME, ...) struct hlist_head NAME;
* #include <linux/lsm_hook_defs.h>
* #undef LSM_HOOK
* };
*/
-LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr)
-LSM_HOOK(int, 0, binder_transaction, const struct cred *from,
+LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_set_context_mgr, const struct cred *mgr)
+LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transaction, const struct cred *from,
const struct cred *to)
-LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from,
+LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transfer_binder, const struct cred *from,
const struct cred *to)
-LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from,
+LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transfer_file, const struct cred *from,
const struct cred *to, const struct file *file)