Implement secpolicy_vnode_setid_retain()

[kusumi]

Motivation and Context

#9035

Description

Don't unconditionally return 0 (i.e. retain SUID/SGID).

https://github.com/pjd/pjdfstest/blob/master/tests/chmod/12.t
which expects SUID/SGID to be dropped on write(2) by non-owner fails
without this. Most filesystems make this decision within VFS by using
a generic file write for fops.

How Has This Been Tested?

Added a test case functional/suid.
(I originally tried to add this to functional/privilege, but found this doesn't run on Linux.)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Performance enhancement (non-breaking change which improves efficiency)
• Code cleanup (non-breaking change which makes code smaller or more readable)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation (a change to man pages or other documentation)

Checklist:

• My code follows the ZFS on Linux code style requirements.
• I have updated the documentation accordingly.
• I have read the contributing document.
• I have added tests to cover my changes.
• All new and existing tests passed.
• All commit messages are properly formatted and contain Signed-off-by.

[behlendorf]

With this change applied we're now passing the test cases you referenced, correct?

Most filesystems make this decision within VFS by using a generic file write for fops.

Would you pointing me, and other reviewers, at the relevant VFS code which does this.

[kusumi]

With this change applied we're now passing the test cases you referenced, correct?

Correct, also the added test case is same as pjdfstest.

Would you pointing me, and other reviewers, at the relevant VFS code which does this.

via err = file_remove_privs(file); in __generic_file_write_iter().

[codecov]

Codecov Report

Merging #9043 into master will increase coverage by 0.02%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #9043      +/-   ##
==========================================
+ Coverage   78.67%   78.69%   +0.02%     
==========================================
  Files         400      402       +2     
  Lines      121009   121004       -5     
==========================================
+ Hits        95199    95226      +27     
+ Misses      25810    25778      -32

Flag	Coverage Δ
#kernel	79.56% <100%> (+0.01%)	⬆️
#user	66.15% <ø> (-0.22%)	⬇️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 43a8536...b4acc91. Read the comment docs.

[kusumi]

build zfs succeeds for BUILD, but failing for TEST.
It builds (and also runs) fine on my local environment.

1. BUILD

Making all in suid
make[6]: Entering directory '/var/lib/buildbot/slaves/zfs/Ubuntu_18_04_x86_64__BUILD_/build/zfs/tests/zfs-tests/tests/functional/suid'
  CC       suid_write_to_suid.o
  CC       suid_write_to_sgid.o
  CC       suid_write_to_suid_sgid.o
  CCLD     suid_write_to_suid
  CCLD     suid_write_to_sgid
  CCLD     suid_write_to_suid_sgid

2. TEST - preprocess can't find ./suid_write_to_file.h which exists in the same directory.

Making all in suid
make[8]: Entering directory '/tmp/zfs-build-buildbot-AqgPTMKN/BUILD/zfs-0.8.0/tests/zfs-tests/tests/functional/suid'
  CC       suid_write_to_suid.o
  CC       suid_write_to_sgid.o
suid_write_to_sgid.c:26:10: fatal error: ./suid_write_to_file.h: No such file or directory
 #include "./suid_write_to_file.h"
          ^~~~~~~~~~~~~~~~~~~~~~~~
suid_write_to_suid.c:26:10: fatal error: ./suid_write_to_file.h: No such file or directory
 #include "./suid_write_to_file.h"
          ^~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
compilation terminated.