Linux: Keyrings PAG handling changes

Linux: Keyrings PAG handling changes

We can take advantage of the fact that PagInCred now receives
a kernel credentials structure as an argument (including any session
keyring) to make some improvements in the handling of PAGs
when keyrings are in use.

These changes are effective only if keyrings are in use and we
have a recent enough kernel where we can use the kernel
credentials structure.

1 - Search the session keyring of the passed credentials instead of
the current process' to determine the PAG, if any.  This was always
not really correct, and now we're able to do the right thing.
In some situations such as background writeback and pre-fetching,
this means that we'll now do it with the right credentials, even when
in a PAG.

2 - Don't use groups at all to determine PAG membership.  Doing so
can lead to some inconsistent situations such as the one described
in RT 125198, where a process gets access through a soon to be
deleted PAG.  Make PagInCred look exclusively at the keyrings.
Groups are still updated to try to reflect the current PAG for now,
if the passed credentials belong to the current process.

Note that a process can no longer get a PAG's privileges simply by
adding the corresponding groups to its group list.

No behaviour change for kernels prior to 2.6.29.

FIXES 125198

Change-Id: Ifb171993cc9ca9d6a97fb7312909485ec0666efb
Reviewed-on: http://gerrit.openafs.org/730
Reviewed-by: Derrick Brashear <shadow@dementia.org>
Tested-by: Derrick Brashear <shadow@dementia.org>