]>
Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
aeca4e2c MM |
2 | config SECURITY_SAFESETID |
3 | bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities" | |
2f87324b MM |
4 | depends on SECURITY |
5 | select SECURITYFS | |
aeca4e2c MM |
6 | default n |
7 | help | |
8 | SafeSetID is an LSM module that gates the setid family of syscalls to | |
9 | restrict UID/GID transitions from a given UID/GID to only those | |
10 | approved by a system-wide whitelist. These restrictions also prohibit | |
11 | the given UIDs/GIDs from obtaining auxiliary privileges associated | |
12 | with CAP_SET{U/G}ID, such as allowing a user to set up user namespace | |
13 | UID mappings. | |
14 | ||
15 | If you are unsure how to answer this question, answer N. |