1*4882a593Smuzhiyun# SPDX-License-Identifier: GPL-2.0-only 2*4882a593Smuzhiyunconfig SECURITY_SAFESETID 3*4882a593Smuzhiyun bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities" 4*4882a593Smuzhiyun depends on SECURITY 5*4882a593Smuzhiyun select SECURITYFS 6*4882a593Smuzhiyun default n 7*4882a593Smuzhiyun help 8*4882a593Smuzhiyun SafeSetID is an LSM module that gates the setid family of syscalls to 9*4882a593Smuzhiyun restrict UID/GID transitions from a given UID/GID to only those 10*4882a593Smuzhiyun approved by a system-wide whitelist. These restrictions also prohibit 11*4882a593Smuzhiyun the given UIDs/GIDs from obtaining auxiliary privileges associated 12*4882a593Smuzhiyun with CAP_SET{U/G}ID, such as allowing a user to set up user namespace 13*4882a593Smuzhiyun UID mappings. 14*4882a593Smuzhiyun 15*4882a593Smuzhiyun If you are unsure how to answer this question, answer N. 16