lsm: Clarify documentation of vm_enough_memory hook

include/linux/lsm_hooks.h reports the result of the LSM infrastructure to
the callers, not what LSMs should return to the LSM infrastructure.

Clarify that and add that if all LSMs return a positive value
__vm_enough_memory() will be called with cap_sys_admin set. If at least one
LSM returns 0 or negative, it will be called with cap_sys_admin cleared.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 2831efe..c35e260 100644 (file)
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -1398,7 +1398,11 @@
  *     Check permissions for allocating a new virtual mapping.
  *     @mm contains the mm struct it is being added to.
  *     @pages contains the number of pages.
- *     Return 0 if permission is granted.
+ *     Return 0 if permission is granted by the LSM infrastructure to the
+ *     caller. If all LSMs return a positive value, __vm_enough_memory() will
+ *     be called with cap_sys_admin set. If at least one LSM returns 0 or
+ *     negative, __vm_enough_memory() will be called with cap_sys_admin
+ *     cleared.
  *
  * @ismaclabel:
  *     Check if the extended attribute specified by @name