mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
synced 2026-04-21 04:53:46 -04:00
LSM: add SafeSetID module that gates setid calls
SafeSetID gates the setid family of syscalls to restrict UID/GID
transitions from a given UID/GID to only those approved by a
system-wide whitelist. These restrictions also prohibit the given
UIDs/GIDs from obtaining auxiliary privileges associated with
CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID
mappings. For now, only gating the set*uid family of syscalls is
supported, with support for set*gid coming in a future patch set.
Signed-off-by: Micah Morton <mortonm@chromium.org>
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: James Morris <james.morris@microsoft.com>
This commit is contained in:
Micah Morton
committed by
James Morris
James Morris
parent
40852275a9
commit
aeca4e2ca6
7
security/safesetid/Makefile
Normal file
7
security/safesetid/Makefile
Normal file
@@ -0,0 +1,7 @@
|
||||
# SPDX-License-Identifier: GPL-2.0
|
||||
#
|
||||
# Makefile for the safesetid LSM.
|
||||
#
|
||||
|
||||
obj-$(CONFIG_SECURITY_SAFESETID) := safesetid.o
|
||||
safesetid-y := lsm.o securityfs.o
|
||||
Reference in New Issue
Block a user