apparmor: fix documentation mismatches in val_mask_to_str and socket functions

This patch fixes kernel-doc warnings: 1. val_mask_to_str: - Added missing descriptions for `size` and `table` parameters. - Removed outdated str_size and chrs references. 2. Socket Functions: - Makes non-null requirements clear for socket/address args. - Standardizes return values per kernel conventions. - Adds Unix domain socket protocol details. These changes silence doc validation warnings and improve accuracy for AppArmor LSM docs. Signed-off-by: Peng Jiang <jiang.peng9@zte.com.cn> Signed-off-by: John Johansen <john.johansen@canonical.com>
2026-01-24 23:16:46 +00:00 · 2025-06-23 14:41:11 +08:00
parent 4ce7d3cf5a
commit f9c9dce01e
2 changed files with 23 additions and 3 deletions
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -85,7 +85,7 @@ int aa_parse_debug_params(const char *str)
 * val_mask_to_str - convert a perm mask to its short string
 * @str: character buffer to store string in (at least 10 characters)
 * @size: size of the @str buffer
- * @table: NUL-terminated character buffer of permission characters
+ * @table: NUL-terminated character buffer of permission characters (NOT NULL)
 * @mask: permission mask to convert
 */
 static int val_mask_to_str(char *str, size_t size,
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1186,6 +1186,10 @@ static void unix_connect_peers(struct aa_sk_ctx *sk_ctx,
 * @peer_sk: sk that is accepting the connection
 * @newsk: new sk created for this connection
 * peer is locked when this hook is called
+ *
+ * Return:
+ *   0 if connection is permitted
+ *   error code on denial or failure
 */
 static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
 					struct sock *newsk)
@@ -1221,8 +1225,16 @@ static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
 * @sock: socket sending the message
 * @peer: socket message is being send to
 *
+ * Performs bidirectional permission checks for Unix domain socket communication:
+ * 1. Verifies sender has AA_MAY_SEND to target socket
+ * 2. Verifies receiver has AA_MAY_RECEIVE from source socket
+ *
 * sock and peer are locked when this hook is called
 * called by: dgram_connect peer setup but path not copied to newsk
+ *
+ * Return:
+ *   0 if transmission is permitted
+ *   error code on denial or failure
 */
 static int apparmor_unix_may_send(struct socket *sock, struct socket *peer)
 {
@@ -1339,9 +1351,17 @@ static int apparmor_socket_socketpair(struct socket *socka,

 /**
 * apparmor_socket_bind - check perms before bind addr to socket
- * @sock: socket to bind the address to
- * @address: address that is being bound
+ * @sock: socket to bind the address to (must be non-NULL)
+ * @address: address that is being bound (must be non-NULL)
 * @addrlen: length of @address
+ *
+ * Performs security checks before allowing a socket to bind to an address.
+ * Handles Unix domain sockets specially through aa_unix_bind_perm().
+ * For other socket families, uses generic permission check via aa_sk_perm().
+ *
+ * Return:
+ *   0 if binding is permitted
+ *   error code on denial or invalid parameters
 */
 static int apparmor_socket_bind(struct socket *sock,
 				struct sockaddr *address, int addrlen)