 e163bc8e4a
			
		
	
	
	e163bc8e4a
	
	
	
		
			
			Clarify the purpose of the LSM interface with some brief examples and pointers to additional documentation. Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: James Morris <jmorris@namei.org>
		
			
				
	
	
		
			581 lines
		
	
	
	
		
			20 KiB
			
		
	
	
	
		
			Text
		
	
	
	
	
	
			
		
		
	
	
			581 lines
		
	
	
	
		
			20 KiB
			
		
	
	
	
		
			Text
		
	
	
	
	
	
| 			     ====================
 | |
| 			     CREDENTIALS IN LINUX
 | |
| 			     ====================
 | |
| 
 | |
| By: David Howells <dhowells@redhat.com>
 | |
| 
 | |
| Contents:
 | |
| 
 | |
|  (*) Overview.
 | |
| 
 | |
|  (*) Types of credentials.
 | |
| 
 | |
|  (*) File markings.
 | |
| 
 | |
|  (*) Task credentials.
 | |
| 
 | |
|      - Immutable credentials.
 | |
|      - Accessing task credentials.
 | |
|      - Accessing another task's credentials.
 | |
|      - Altering credentials.
 | |
|      - Managing credentials.
 | |
| 
 | |
|  (*) Open file credentials.
 | |
| 
 | |
|  (*) Overriding the VFS's use of credentials.
 | |
| 
 | |
| 
 | |
| ========
 | |
| OVERVIEW
 | |
| ========
 | |
| 
 | |
| There are several parts to the security check performed by Linux when one
 | |
| object acts upon another:
 | |
| 
 | |
|  (1) Objects.
 | |
| 
 | |
|      Objects are things in the system that may be acted upon directly by
 | |
|      userspace programs.  Linux has a variety of actionable objects, including:
 | |
| 
 | |
| 	- Tasks
 | |
| 	- Files/inodes
 | |
| 	- Sockets
 | |
| 	- Message queues
 | |
| 	- Shared memory segments
 | |
| 	- Semaphores
 | |
| 	- Keys
 | |
| 
 | |
|      As a part of the description of all these objects there is a set of
 | |
|      credentials.  What's in the set depends on the type of object.
 | |
| 
 | |
|  (2) Object ownership.
 | |
| 
 | |
|      Amongst the credentials of most objects, there will be a subset that
 | |
|      indicates the ownership of that object.  This is used for resource
 | |
|      accounting and limitation (disk quotas and task rlimits for example).
 | |
| 
 | |
|      In a standard UNIX filesystem, for instance, this will be defined by the
 | |
|      UID marked on the inode.
 | |
| 
 | |
|  (3) The objective context.
 | |
| 
 | |
|      Also amongst the credentials of those objects, there will be a subset that
 | |
|      indicates the 'objective context' of that object.  This may or may not be
 | |
|      the same set as in (2) - in standard UNIX files, for instance, this is the
 | |
|      defined by the UID and the GID marked on the inode.
 | |
| 
 | |
|      The objective context is used as part of the security calculation that is
 | |
|      carried out when an object is acted upon.
 | |
| 
 | |
|  (4) Subjects.
 | |
| 
 | |
|      A subject is an object that is acting upon another object.
 | |
| 
 | |
|      Most of the objects in the system are inactive: they don't act on other
 | |
|      objects within the system.  Processes/tasks are the obvious exception:
 | |
|      they do stuff; they access and manipulate things.
 | |
| 
 | |
|      Objects other than tasks may under some circumstances also be subjects.
 | |
|      For instance an open file may send SIGIO to a task using the UID and EUID
 | |
|      given to it by a task that called fcntl(F_SETOWN) upon it.  In this case,
 | |
|      the file struct will have a subjective context too.
 | |
| 
 | |
|  (5) The subjective context.
 | |
| 
 | |
|      A subject has an additional interpretation of its credentials.  A subset
 | |
|      of its credentials forms the 'subjective context'.  The subjective context
 | |
|      is used as part of the security calculation that is carried out when a
 | |
|      subject acts.
 | |
| 
 | |
|      A Linux task, for example, has the FSUID, FSGID and the supplementary
 | |
|      group list for when it is acting upon a file - which are quite separate
 | |
|      from the real UID and GID that normally form the objective context of the
 | |
|      task.
 | |
| 
 | |
|  (6) Actions.
 | |
| 
 | |
|      Linux has a number of actions available that a subject may perform upon an
 | |
|      object.  The set of actions available depends on the nature of the subject
 | |
|      and the object.
 | |
| 
 | |
|      Actions include reading, writing, creating and deleting files; forking or
 | |
|      signalling and tracing tasks.
 | |
| 
 | |
|  (7) Rules, access control lists and security calculations.
 | |
| 
 | |
|      When a subject acts upon an object, a security calculation is made.  This
 | |
|      involves taking the subjective context, the objective context and the
 | |
|      action, and searching one or more sets of rules to see whether the subject
 | |
|      is granted or denied permission to act in the desired manner on the
 | |
|      object, given those contexts.
 | |
| 
 | |
|      There are two main sources of rules:
 | |
| 
 | |
|      (a) Discretionary access control (DAC):
 | |
| 
 | |
| 	 Sometimes the object will include sets of rules as part of its
 | |
| 	 description.  This is an 'Access Control List' or 'ACL'.  A Linux
 | |
| 	 file may supply more than one ACL.
 | |
| 
 | |
| 	 A traditional UNIX file, for example, includes a permissions mask that
 | |
| 	 is an abbreviated ACL with three fixed classes of subject ('user',
 | |
| 	 'group' and 'other'), each of which may be granted certain privileges
 | |
| 	 ('read', 'write' and 'execute' - whatever those map to for the object
 | |
| 	 in question).  UNIX file permissions do not allow the arbitrary
 | |
| 	 specification of subjects, however, and so are of limited use.
 | |
| 
 | |
| 	 A Linux file might also sport a POSIX ACL.  This is a list of rules
 | |
| 	 that grants various permissions to arbitrary subjects.
 | |
| 
 | |
|      (b) Mandatory access control (MAC):
 | |
| 
 | |
| 	 The system as a whole may have one or more sets of rules that get
 | |
| 	 applied to all subjects and objects, regardless of their source.
 | |
| 	 SELinux and Smack are examples of this.
 | |
| 
 | |
| 	 In the case of SELinux and Smack, each object is given a label as part
 | |
| 	 of its credentials.  When an action is requested, they take the
 | |
| 	 subject label, the object label and the action and look for a rule
 | |
| 	 that says that this action is either granted or denied.
 | |
| 
 | |
| 
 | |
| ====================
 | |
| TYPES OF CREDENTIALS
 | |
| ====================
 | |
| 
 | |
| The Linux kernel supports the following types of credentials:
 | |
| 
 | |
|  (1) Traditional UNIX credentials.
 | |
| 
 | |
| 	Real User ID
 | |
| 	Real Group ID
 | |
| 
 | |
|      The UID and GID are carried by most, if not all, Linux objects, even if in
 | |
|      some cases it has to be invented (FAT or CIFS files for example, which are
 | |
|      derived from Windows).  These (mostly) define the objective context of
 | |
|      that object, with tasks being slightly different in some cases.
 | |
| 
 | |
| 	Effective, Saved and FS User ID
 | |
| 	Effective, Saved and FS Group ID
 | |
| 	Supplementary groups
 | |
| 
 | |
|      These are additional credentials used by tasks only.  Usually, an
 | |
|      EUID/EGID/GROUPS will be used as the subjective context, and real UID/GID
 | |
|      will be used as the objective.  For tasks, it should be noted that this is
 | |
|      not always true.
 | |
| 
 | |
|  (2) Capabilities.
 | |
| 
 | |
| 	Set of permitted capabilities
 | |
| 	Set of inheritable capabilities
 | |
| 	Set of effective capabilities
 | |
| 	Capability bounding set
 | |
| 
 | |
|      These are only carried by tasks.  They indicate superior capabilities
 | |
|      granted piecemeal to a task that an ordinary task wouldn't otherwise have.
 | |
|      These are manipulated implicitly by changes to the traditional UNIX
 | |
|      credentials, but can also be manipulated directly by the capset() system
 | |
|      call.
 | |
| 
 | |
|      The permitted capabilities are those caps that the process might grant
 | |
|      itself to its effective or permitted sets through capset().  This
 | |
|      inheritable set might also be so constrained.
 | |
| 
 | |
|      The effective capabilities are the ones that a task is actually allowed to
 | |
|      make use of itself.
 | |
| 
 | |
|      The inheritable capabilities are the ones that may get passed across
 | |
|      execve().
 | |
| 
 | |
|      The bounding set limits the capabilities that may be inherited across
 | |
|      execve(), especially when a binary is executed that will execute as UID 0.
 | |
| 
 | |
|  (3) Secure management flags (securebits).
 | |
| 
 | |
|      These are only carried by tasks.  These govern the way the above
 | |
|      credentials are manipulated and inherited over certain operations such as
 | |
|      execve().  They aren't used directly as objective or subjective
 | |
|      credentials.
 | |
| 
 | |
|  (4) Keys and keyrings.
 | |
| 
 | |
|      These are only carried by tasks.  They carry and cache security tokens
 | |
|      that don't fit into the other standard UNIX credentials.  They are for
 | |
|      making such things as network filesystem keys available to the file
 | |
|      accesses performed by processes, without the necessity of ordinary
 | |
|      programs having to know about security details involved.
 | |
| 
 | |
|      Keyrings are a special type of key.  They carry sets of other keys and can
 | |
|      be searched for the desired key.  Each process may subscribe to a number
 | |
|      of keyrings:
 | |
| 
 | |
| 	Per-thread keying
 | |
| 	Per-process keyring
 | |
| 	Per-session keyring
 | |
| 
 | |
|      When a process accesses a key, if not already present, it will normally be
 | |
|      cached on one of these keyrings for future accesses to find.
 | |
| 
 | |
|      For more information on using keys, see Documentation/security/keys.txt.
 | |
| 
 | |
|  (5) LSM
 | |
| 
 | |
|      The Linux Security Module allows extra controls to be placed over the
 | |
|      operations that a task may do.  Currently Linux supports several LSM
 | |
|      options.
 | |
| 
 | |
|      Some work by labelling the objects in a system and then applying sets of
 | |
|      rules (policies) that say what operations a task with one label may do to
 | |
|      an object with another label.
 | |
| 
 | |
|  (6) AF_KEY
 | |
| 
 | |
|      This is a socket-based approach to credential management for networking
 | |
|      stacks [RFC 2367].  It isn't discussed by this document as it doesn't
 | |
|      interact directly with task and file credentials; rather it keeps system
 | |
|      level credentials.
 | |
| 
 | |
| 
 | |
| When a file is opened, part of the opening task's subjective context is
 | |
| recorded in the file struct created.  This allows operations using that file
 | |
| struct to use those credentials instead of the subjective context of the task
 | |
| that issued the operation.  An example of this would be a file opened on a
 | |
| network filesystem where the credentials of the opened file should be presented
 | |
| to the server, regardless of who is actually doing a read or a write upon it.
 | |
| 
 | |
| 
 | |
| =============
 | |
| FILE MARKINGS
 | |
| =============
 | |
| 
 | |
| Files on disk or obtained over the network may have annotations that form the
 | |
| objective security context of that file.  Depending on the type of filesystem,
 | |
| this may include one or more of the following:
 | |
| 
 | |
|  (*) UNIX UID, GID, mode;
 | |
| 
 | |
|  (*) Windows user ID;
 | |
| 
 | |
|  (*) Access control list;
 | |
| 
 | |
|  (*) LSM security label;
 | |
| 
 | |
|  (*) UNIX exec privilege escalation bits (SUID/SGID);
 | |
| 
 | |
|  (*) File capabilities exec privilege escalation bits.
 | |
| 
 | |
| These are compared to the task's subjective security context, and certain
 | |
| operations allowed or disallowed as a result.  In the case of execve(), the
 | |
| privilege escalation bits come into play, and may allow the resulting process
 | |
| extra privileges, based on the annotations on the executable file.
 | |
| 
 | |
| 
 | |
| ================
 | |
| TASK CREDENTIALS
 | |
| ================
 | |
| 
 | |
| In Linux, all of a task's credentials are held in (uid, gid) or through
 | |
| (groups, keys, LSM security) a refcounted structure of type 'struct cred'.
 | |
| Each task points to its credentials by a pointer called 'cred' in its
 | |
| task_struct.
 | |
| 
 | |
| Once a set of credentials has been prepared and committed, it may not be
 | |
| changed, barring the following exceptions:
 | |
| 
 | |
|  (1) its reference count may be changed;
 | |
| 
 | |
|  (2) the reference count on the group_info struct it points to may be changed;
 | |
| 
 | |
|  (3) the reference count on the security data it points to may be changed;
 | |
| 
 | |
|  (4) the reference count on any keyrings it points to may be changed;
 | |
| 
 | |
|  (5) any keyrings it points to may be revoked, expired or have their security
 | |
|      attributes changed; and
 | |
| 
 | |
|  (6) the contents of any keyrings to which it points may be changed (the whole
 | |
|      point of keyrings being a shared set of credentials, modifiable by anyone
 | |
|      with appropriate access).
 | |
| 
 | |
| To alter anything in the cred struct, the copy-and-replace principle must be
 | |
| adhered to.  First take a copy, then alter the copy and then use RCU to change
 | |
| the task pointer to make it point to the new copy.  There are wrappers to aid
 | |
| with this (see below).
 | |
| 
 | |
| A task may only alter its _own_ credentials; it is no longer permitted for a
 | |
| task to alter another's credentials.  This means the capset() system call is no
 | |
| longer permitted to take any PID other than the one of the current process.
 | |
| Also keyctl_instantiate() and keyctl_negate() functions no longer permit
 | |
| attachment to process-specific keyrings in the requesting process as the
 | |
| instantiating process may need to create them.
 | |
| 
 | |
| 
 | |
| IMMUTABLE CREDENTIALS
 | |
| ---------------------
 | |
| 
 | |
| Once a set of credentials has been made public (by calling commit_creds() for
 | |
| example), it must be considered immutable, barring two exceptions:
 | |
| 
 | |
|  (1) The reference count may be altered.
 | |
| 
 | |
|  (2) Whilst the keyring subscriptions of a set of credentials may not be
 | |
|      changed, the keyrings subscribed to may have their contents altered.
 | |
| 
 | |
| To catch accidental credential alteration at compile time, struct task_struct
 | |
| has _const_ pointers to its credential sets, as does struct file.  Furthermore,
 | |
| certain functions such as get_cred() and put_cred() operate on const pointers,
 | |
| thus rendering casts unnecessary, but require to temporarily ditch the const
 | |
| qualification to be able to alter the reference count.
 | |
| 
 | |
| 
 | |
| ACCESSING TASK CREDENTIALS
 | |
| --------------------------
 | |
| 
 | |
| A task being able to alter only its own credentials permits the current process
 | |
| to read or replace its own credentials without the need for any form of locking
 | |
| - which simplifies things greatly.  It can just call:
 | |
| 
 | |
| 	const struct cred *current_cred()
 | |
| 
 | |
| to get a pointer to its credentials structure, and it doesn't have to release
 | |
| it afterwards.
 | |
| 
 | |
| There are convenience wrappers for retrieving specific aspects of a task's
 | |
| credentials (the value is simply returned in each case):
 | |
| 
 | |
| 	uid_t current_uid(void)		Current's real UID
 | |
| 	gid_t current_gid(void)		Current's real GID
 | |
| 	uid_t current_euid(void)	Current's effective UID
 | |
| 	gid_t current_egid(void)	Current's effective GID
 | |
| 	uid_t current_fsuid(void)	Current's file access UID
 | |
| 	gid_t current_fsgid(void)	Current's file access GID
 | |
| 	kernel_cap_t current_cap(void)	Current's effective capabilities
 | |
| 	void *current_security(void)	Current's LSM security pointer
 | |
| 	struct user_struct *current_user(void)  Current's user account
 | |
| 
 | |
| There are also convenience wrappers for retrieving specific associated pairs of
 | |
| a task's credentials:
 | |
| 
 | |
| 	void current_uid_gid(uid_t *, gid_t *);
 | |
| 	void current_euid_egid(uid_t *, gid_t *);
 | |
| 	void current_fsuid_fsgid(uid_t *, gid_t *);
 | |
| 
 | |
| which return these pairs of values through their arguments after retrieving
 | |
| them from the current task's credentials.
 | |
| 
 | |
| 
 | |
| In addition, there is a function for obtaining a reference on the current
 | |
| process's current set of credentials:
 | |
| 
 | |
| 	const struct cred *get_current_cred(void);
 | |
| 
 | |
| and functions for getting references to one of the credentials that don't
 | |
| actually live in struct cred:
 | |
| 
 | |
| 	struct user_struct *get_current_user(void);
 | |
| 	struct group_info *get_current_groups(void);
 | |
| 
 | |
| which get references to the current process's user accounting structure and
 | |
| supplementary groups list respectively.
 | |
| 
 | |
| Once a reference has been obtained, it must be released with put_cred(),
 | |
| free_uid() or put_group_info() as appropriate.
 | |
| 
 | |
| 
 | |
| ACCESSING ANOTHER TASK'S CREDENTIALS
 | |
| ------------------------------------
 | |
| 
 | |
| Whilst a task may access its own credentials without the need for locking, the
 | |
| same is not true of a task wanting to access another task's credentials.  It
 | |
| must use the RCU read lock and rcu_dereference().
 | |
| 
 | |
| The rcu_dereference() is wrapped by:
 | |
| 
 | |
| 	const struct cred *__task_cred(struct task_struct *task);
 | |
| 
 | |
| This should be used inside the RCU read lock, as in the following example:
 | |
| 
 | |
| 	void foo(struct task_struct *t, struct foo_data *f)
 | |
| 	{
 | |
| 		const struct cred *tcred;
 | |
| 		...
 | |
| 		rcu_read_lock();
 | |
| 		tcred = __task_cred(t);
 | |
| 		f->uid = tcred->uid;
 | |
| 		f->gid = tcred->gid;
 | |
| 		f->groups = get_group_info(tcred->groups);
 | |
| 		rcu_read_unlock();
 | |
| 		...
 | |
| 	}
 | |
| 
 | |
| Should it be necessary to hold another task's credentials for a long period of
 | |
| time, and possibly to sleep whilst doing so, then the caller should get a
 | |
| reference on them using:
 | |
| 
 | |
| 	const struct cred *get_task_cred(struct task_struct *task);
 | |
| 
 | |
| This does all the RCU magic inside of it.  The caller must call put_cred() on
 | |
| the credentials so obtained when they're finished with.
 | |
| 
 | |
|  [*] Note: The result of __task_cred() should not be passed directly to
 | |
|      get_cred() as this may race with commit_cred().
 | |
| 
 | |
| There are a couple of convenience functions to access bits of another task's
 | |
| credentials, hiding the RCU magic from the caller:
 | |
| 
 | |
| 	uid_t task_uid(task)		Task's real UID
 | |
| 	uid_t task_euid(task)		Task's effective UID
 | |
| 
 | |
| If the caller is holding the RCU read lock at the time anyway, then:
 | |
| 
 | |
| 	__task_cred(task)->uid
 | |
| 	__task_cred(task)->euid
 | |
| 
 | |
| should be used instead.  Similarly, if multiple aspects of a task's credentials
 | |
| need to be accessed, RCU read lock should be used, __task_cred() called, the
 | |
| result stored in a temporary pointer and then the credential aspects called
 | |
| from that before dropping the lock.  This prevents the potentially expensive
 | |
| RCU magic from being invoked multiple times.
 | |
| 
 | |
| Should some other single aspect of another task's credentials need to be
 | |
| accessed, then this can be used:
 | |
| 
 | |
| 	task_cred_xxx(task, member)
 | |
| 
 | |
| where 'member' is a non-pointer member of the cred struct.  For instance:
 | |
| 
 | |
| 	uid_t task_cred_xxx(task, suid);
 | |
| 
 | |
| will retrieve 'struct cred::suid' from the task, doing the appropriate RCU
 | |
| magic.  This may not be used for pointer members as what they point to may
 | |
| disappear the moment the RCU read lock is dropped.
 | |
| 
 | |
| 
 | |
| ALTERING CREDENTIALS
 | |
| --------------------
 | |
| 
 | |
| As previously mentioned, a task may only alter its own credentials, and may not
 | |
| alter those of another task.  This means that it doesn't need to use any
 | |
| locking to alter its own credentials.
 | |
| 
 | |
| To alter the current process's credentials, a function should first prepare a
 | |
| new set of credentials by calling:
 | |
| 
 | |
| 	struct cred *prepare_creds(void);
 | |
| 
 | |
| this locks current->cred_replace_mutex and then allocates and constructs a
 | |
| duplicate of the current process's credentials, returning with the mutex still
 | |
| held if successful.  It returns NULL if not successful (out of memory).
 | |
| 
 | |
| The mutex prevents ptrace() from altering the ptrace state of a process whilst
 | |
| security checks on credentials construction and changing is taking place as
 | |
| the ptrace state may alter the outcome, particularly in the case of execve().
 | |
| 
 | |
| The new credentials set should be altered appropriately, and any security
 | |
| checks and hooks done.  Both the current and the proposed sets of credentials
 | |
| are available for this purpose as current_cred() will return the current set
 | |
| still at this point.
 | |
| 
 | |
| 
 | |
| When the credential set is ready, it should be committed to the current process
 | |
| by calling:
 | |
| 
 | |
| 	int commit_creds(struct cred *new);
 | |
| 
 | |
| This will alter various aspects of the credentials and the process, giving the
 | |
| LSM a chance to do likewise, then it will use rcu_assign_pointer() to actually
 | |
| commit the new credentials to current->cred, it will release
 | |
| current->cred_replace_mutex to allow ptrace() to take place, and it will notify
 | |
| the scheduler and others of the changes.
 | |
| 
 | |
| This function is guaranteed to return 0, so that it can be tail-called at the
 | |
| end of such functions as sys_setresuid().
 | |
| 
 | |
| Note that this function consumes the caller's reference to the new credentials.
 | |
| The caller should _not_ call put_cred() on the new credentials afterwards.
 | |
| 
 | |
| Furthermore, once this function has been called on a new set of credentials,
 | |
| those credentials may _not_ be changed further.
 | |
| 
 | |
| 
 | |
| Should the security checks fail or some other error occur after prepare_creds()
 | |
| has been called, then the following function should be invoked:
 | |
| 
 | |
| 	void abort_creds(struct cred *new);
 | |
| 
 | |
| This releases the lock on current->cred_replace_mutex that prepare_creds() got
 | |
| and then releases the new credentials.
 | |
| 
 | |
| 
 | |
| A typical credentials alteration function would look something like this:
 | |
| 
 | |
| 	int alter_suid(uid_t suid)
 | |
| 	{
 | |
| 		struct cred *new;
 | |
| 		int ret;
 | |
| 
 | |
| 		new = prepare_creds();
 | |
| 		if (!new)
 | |
| 			return -ENOMEM;
 | |
| 
 | |
| 		new->suid = suid;
 | |
| 		ret = security_alter_suid(new);
 | |
| 		if (ret < 0) {
 | |
| 			abort_creds(new);
 | |
| 			return ret;
 | |
| 		}
 | |
| 
 | |
| 		return commit_creds(new);
 | |
| 	}
 | |
| 
 | |
| 
 | |
| MANAGING CREDENTIALS
 | |
| --------------------
 | |
| 
 | |
| There are some functions to help manage credentials:
 | |
| 
 | |
|  (*) void put_cred(const struct cred *cred);
 | |
| 
 | |
|      This releases a reference to the given set of credentials.  If the
 | |
|      reference count reaches zero, the credentials will be scheduled for
 | |
|      destruction by the RCU system.
 | |
| 
 | |
|  (*) const struct cred *get_cred(const struct cred *cred);
 | |
| 
 | |
|      This gets a reference on a live set of credentials, returning a pointer to
 | |
|      that set of credentials.
 | |
| 
 | |
|  (*) struct cred *get_new_cred(struct cred *cred);
 | |
| 
 | |
|      This gets a reference on a set of credentials that is under construction
 | |
|      and is thus still mutable, returning a pointer to that set of credentials.
 | |
| 
 | |
| 
 | |
| =====================
 | |
| OPEN FILE CREDENTIALS
 | |
| =====================
 | |
| 
 | |
| When a new file is opened, a reference is obtained on the opening task's
 | |
| credentials and this is attached to the file struct as 'f_cred' in place of
 | |
| 'f_uid' and 'f_gid'.  Code that used to access file->f_uid and file->f_gid
 | |
| should now access file->f_cred->fsuid and file->f_cred->fsgid.
 | |
| 
 | |
| It is safe to access f_cred without the use of RCU or locking because the
 | |
| pointer will not change over the lifetime of the file struct, and nor will the
 | |
| contents of the cred struct pointed to, barring the exceptions listed above
 | |
| (see the Task Credentials section).
 | |
| 
 | |
| 
 | |
| =======================================
 | |
| OVERRIDING THE VFS'S USE OF CREDENTIALS
 | |
| =======================================
 | |
| 
 | |
| Under some circumstances it is desirable to override the credentials used by
 | |
| the VFS, and that can be done by calling into such as vfs_mkdir() with a
 | |
| different set of credentials.  This is done in the following places:
 | |
| 
 | |
|  (*) sys_faccessat().
 | |
| 
 | |
|  (*) do_coredump().
 | |
| 
 | |
|  (*) nfs4recover.c.
 |