[PATCH v3 0/2] implement OA2_INHERIT_CRED flag for openat2()

From: Stas Sergeev
Date: Tue Apr 23 2024 - 18:48:27 EST


This patch-set implements the OA2_INHERIT_CRED flag for openat2() syscall.
It is needed to perform an open operation with the creds that were in
effect when the dir_fd was opened. This allows the process to pre-open
some dirs and switch eUID (and other UIDs/GIDs) to the less-privileged
user, while still retaining the possibility to open/create files within
the pre-opened directory set.

The more detailed description (including security considerations)
is available in the log messages of individual patches.

Changes in v3:
- partially revert v2 changes to avoid overriding capabilities.
Only the bare minimum is overridden: fsuid, fsgid and group_info.
Document the fact the full cred override is unwanted, as it may
represent an unneeded security risk.

Changes in v2:
- capture full struct cred instead of just fsuid/fsgid.
Suggested by Stefan Metzmacher <metze@xxxxxxxxx>

CC: Stefan Metzmacher <metze@xxxxxxxxx>
CC: Eric Biederman <ebiederm@xxxxxxxxxxxx>
CC: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
CC: Andy Lutomirski <luto@xxxxxxxxxx>
CC: Christian Brauner <brauner@xxxxxxxxxx>
CC: Jan Kara <jack@xxxxxxx>
CC: Jeff Layton <jlayton@xxxxxxxxxx>
CC: Chuck Lever <chuck.lever@xxxxxxxxxx>
CC: Alexander Aring <alex.aring@xxxxxxxxx>
CC: linux-fsdevel@xxxxxxxxxxxxxxx
CC: linux-kernel@xxxxxxxxxxxxxxx
CC: linux-api@xxxxxxxxxxxxxxx
CC: Paolo Bonzini <pbonzini@xxxxxxxxxx>
CC: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

--
2.44.0