userspace: easy checking for specific driver

[andrewboie]

In general driver system calls are implemented at a subsystem
layer. However, some drivers may have capabilities specific to
the hardware not covered by the subsystem API. Such drivers may
want to define their own system calls.

This macro makes it simple to validate in the driver-specific
system call handlers that not only does the untrusted device
pointer correspond to the expected subsystem, initialization
state, and caller permissions, but also that the device object
is an instance of a specific driver (and not just any driver in
that subsystem).

Signed-off-by: Andrew Boie andrew.p.boie@intel.com

[pabigot]

Seems plausible, but I won't have a chance to test it until next week.

[codecov-io]

Codecov Report

Merging #12056 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master   #12056   +/-   ##
=======================================
  Coverage   48.05%   48.05%           
=======================================
  Files         281      281           
  Lines       43414    43414           
  Branches    10404    10404           
=======================================
  Hits        20862    20862           
  Misses      18403    18403           
  Partials     4149     4149

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 936d8bd...fd71011. Read the comment docs.

[dbkinder]

+1 for doc changes

[andrewboie]

recheck

[andyross]

Yup. Better than ioctl().

[ioannisg]

by ensuring?

[pabigot]

I don't think "by ensuring" would be correct. The ensuring is part of the checking that's already under "by". Perhaps:

It does this by checking that the init function pointer stored within the driver instance matches the provided value, which should be the address of the specific driver's init function.

[agross-oss]

lgtm