On Thu, Apr 11, 2024 at 8:24 AM Xu Kuohai <xukuohai@xxxxxxxxxxxxxxx> wrote:
>
> From: Xu Kuohai <xukuohai@xxxxxxxxxx>
>
> Add macro LSM_RET_INT to annotate lsm hook return integer type and the
> default return value, and the expected return range.
>
> The LSM_RET_INT is declared as:
>
> LSM_RET_INT(defval, min, max)
>
> where
>
> - defval is the default return value
>
> - min and max indicate the expected return range is [min, max]
>
> The return value range for each lsm hook is taken from the description
> in security/security.c.
>
> The expanded result of LSM_RET_INT is not changed, and the compiled
> product is not changed.
>
> Signed-off-by: Xu Kuohai <xukuohai@xxxxxxxxxx>
> ---
> include/linux/lsm_hook_defs.h | 591 +++++++++++++++++-----------------
> include/linux/lsm_hooks.h | 6 -
> kernel/bpf/bpf_lsm.c | 10 +
> security/security.c | 1 +
> 4 files changed, 313 insertions(+), 295 deletions(-)
...
> diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h
> index 334e00efbde4..708f515ffbf3 100644
> --- a/include/linux/lsm_hook_defs.h
> +++ b/include/linux/lsm_hook_defs.h
> @@ -18,435 +18,448 @@
> * The macro LSM_HOOK is used to define the data structures required by
> * the LSM framework using the pattern:
> *
> - * LSM_HOOK(<return_type>, <default_value>, <hook_name>, args...)
> + * LSM_HOOK(<return_type>, <return_description>, <hook_name>, args...)
> *
> * struct security_hook_heads {
> - * #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME;
> + * #define LSM_HOOK(RET, RETVAL_DESC, NAME, ...) struct hlist_head NAME;
> * #include <linux/lsm_hook_defs.h>
> * #undef LSM_HOOK
> * };
> */
> -LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr)
> -LSM_HOOK(int, 0, binder_transaction, const struct cred *from,
> +LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_set_context_mgr, const struct cred *mgr)
> +LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transaction, const struct cred *from,
> const struct cred *to)
> -LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from,
> +LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transfer_binder, const struct cred *from,
> const struct cred *to)
> -LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from,
> +LSM_HOOK(int, LSM_RET_INT(0, -MAX_ERRNO, 0), binder_transfer_file, const struct cred *from,
> const struct cred *to, const struct file *file)
I'm not overly excited about injecting these additional return value
range annotations into the LSM hook definitions, especially since the
vast majority of the hooks "returns 0 on success, negative values on
error". I'd rather see some effort put into looking at the
feasibility of converting some (all?) of the LSM hook return value
exceptions into the more conventional 0/-ERRNO format. Unfortunately,
I haven't had the time to look into that myself, but if you wanted to
do that I think it would be a good thing.
--
paul-moore.com
