xref: /openbmc/linux/security/safesetid/Kconfig (revision 6c33a6f4) 
1# SPDX-License-Identifier: GPL-2.0-only
2config SECURITY_SAFESETID
3        bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities"
4        depends on SECURITY
5        select SECURITYFS
6        default n
7        help
8          SafeSetID is an LSM module that gates the setid family of syscalls to
9          restrict UID/GID transitions from a given UID/GID to only those
10          approved by a system-wide whitelist. These restrictions also prohibit
11          the given UIDs/GIDs from obtaining auxiliary privileges associated
12          with CAP_SET{U/G}ID, such as allowing a user to set up user namespace
13          UID mappings.
14
15          If you are unsure how to answer this question, answer N.
16