| Micah Morton | aeca4e2 | 2019-01-16 07:46:06 -0800 | [diff] [blame^] | 1 | config SECURITY_SAFESETID |
| 2 | bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities" |
| 3 | default n |
| 4 | help |
| 5 | SafeSetID is an LSM module that gates the setid family of syscalls to |
| 6 | restrict UID/GID transitions from a given UID/GID to only those |
| 7 | approved by a system-wide whitelist. These restrictions also prohibit |
| 8 | the given UIDs/GIDs from obtaining auxiliary privileges associated |
| 9 | with CAP_SET{U/G}ID, such as allowing a user to set up user namespace |
| 10 | UID mappings. |
| 11 | |
| 12 | If you are unsure how to answer this question, answer N. |