16 lines
		
	
	
		
			709 B
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			16 lines
		
	
	
		
			709 B
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| # SPDX-License-Identifier: GPL-2.0-only
 | |
| config SECURITY_SAFESETID
 | |
|         bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities"
 | |
|         depends on SECURITY
 | |
|         select SECURITYFS
 | |
|         default n
 | |
|         help
 | |
|           SafeSetID is an LSM module that gates the setid family of syscalls to
 | |
|           restrict UID/GID transitions from a given UID/GID to only those
 | |
|           approved by a system-wide whitelist. These restrictions also prohibit
 | |
|           the given UIDs/GIDs from obtaining auxiliary privileges associated
 | |
|           with CAP_SET{U/G}ID, such as allowing a user to set up user namespace
 | |
|           UID mappings.
 | |
| 
 | |
|           If you are unsure how to answer this question, answer N.
 |