[clang] [clang][analyzer] Add checker 'Security.SetgidSetuidOrder'. (PR #91445)

[Donát Nagy via cfe-commits]

================
@@ -0,0 +1,170 @@
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,security.SetgidSetuidOrder -verify %s
+
+#include "Inputs/system-header-simulator-setgid-setuid.h"
+
+void correct_order() {
+  if (setgid(getgid()) == -1)
+    return;
+  if (setuid(getuid()) == -1)
+    return;
+  if (setgid(getgid()) == -1)
+    return;
----------------
NagyDonat wrote:

Why is this block here? Should this "try to set the gid again" attempt appear in normal code?

(I see that this is intentionally allowed in the checker, but it would be good to add a short comment that explains the rationale behind this.)

https://github.com/llvm/llvm-project/pull/91445