2f87324be7
This patch changes the Kconfig file for the SafeSetID LSM to depend on CONFIG_SECURITY as well as select CONFIG_SECURITYFS, since the policies for the LSM are configured through writing to securityfs. Signed-off-by: Micah Morton <mortonm@chromium.org> Signed-off-by: James Morris <james.morris@microsoft.com>
15 lines
669 B
Plaintext
15 lines
669 B
Plaintext
config SECURITY_SAFESETID
|
|
bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities"
|
|
depends on SECURITY
|
|
select SECURITYFS
|
|
default n
|
|
help
|
|
SafeSetID is an LSM module that gates the setid family of syscalls to
|
|
restrict UID/GID transitions from a given UID/GID to only those
|
|
approved by a system-wide whitelist. These restrictions also prohibit
|
|
the given UIDs/GIDs from obtaining auxiliary privileges associated
|
|
with CAP_SET{U/G}ID, such as allowing a user to set up user namespace
|
|
UID mappings.
|
|
|
|
If you are unsure how to answer this question, answer N.
|