Support for C flag

Binary package hint: binfmt-support

Hi

By default, binfmt-misc doesn't keep the security context of the original binary when launching the interpreter, so the setuid bit gets dropped:
ubuntu@bee:/$ sudo id
sudo: must be setuid root
(this is withing an armel chroot under x86-64 with qemu-kvm-extras-static installed, which registers qemu-arm-static as an interpreter for arm binaries)

However, linux/Documentation/binfmt_misc.txt describes a 'C' flag one can append after the interpreter to preserve the security context. Obviously, the interpreter then has to be trusted to do the right thing as this might be a security hole:
[...]
 - 'interpreter' is the program that should be invoked with the binary as first
   argument (specify the full path)
 - 'flags' is an optional field that controls several aspects of the invocation
   of the interpreter. It is a string of capital letters, each controls a certain
   aspect. The following flags are supported -
      'P' - preserve-argv[0]. Legacy behavior of binfmt_misc is to overwrite the
            original argv[0] with the full path to the binary. When this flag is
            included, binfmt_misc will add an argument to the argument vector for
            this purpose, thus preserving the original argv[0].
      'O' - open-binary. Legacy behavior of binfmt_misc is to pass the full path
            of the binary to the interpreter as an argument. When this flag is
            included, binfmt_misc will open the file for reading and pass its
            descriptor as an argument, instead of the full path, thus allowing
            the interpreter to execute non-readable binaries. This feature should
            be used with care - the interpreter has to be trusted not to emit
            the contents of the non-readable binary.
      'C' - credentials. Currently, the behavior of binfmt_misc is to calculate
            the credentials and security token of the new process according to
            the interpreter. When this flag is included, these attributes are
            calculated according to the binary. It also implies the 'O' flag.
            This feature should be used with care as the interpreter
            will run with root permissions when a setuid binary owned by root
            is run with binfmt_misc.

Note that after setting manually the C flag, I wasn't able to observe the documented behavior of the implied 'O' flag: qemu-arm-static "just worked" and was passed the name of the binary it should invoke on the cmdline; I didn't see any fd number or a path to /dev/fd/n on the interpreter args (I checked with a static binary dumping argv in place of qemu-arm-static).

I propose we add "credentials yes" to binfmt format files to turn on this flag.

This would allow:
ubuntu@bee:/$ sudo id
uid=0(root) gid=0(root) groups=0(root)

Thanks,