18c2ecf20Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ciconfig SECURITY_SAFESETID 38c2ecf20Sopenharmony_ci bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities" 48c2ecf20Sopenharmony_ci depends on SECURITY 58c2ecf20Sopenharmony_ci select SECURITYFS 68c2ecf20Sopenharmony_ci default n 78c2ecf20Sopenharmony_ci help 88c2ecf20Sopenharmony_ci SafeSetID is an LSM module that gates the setid family of syscalls to 98c2ecf20Sopenharmony_ci restrict UID/GID transitions from a given UID/GID to only those 108c2ecf20Sopenharmony_ci approved by a system-wide whitelist. These restrictions also prohibit 118c2ecf20Sopenharmony_ci the given UIDs/GIDs from obtaining auxiliary privileges associated 128c2ecf20Sopenharmony_ci with CAP_SET{U/G}ID, such as allowing a user to set up user namespace 138c2ecf20Sopenharmony_ci UID mappings. 148c2ecf20Sopenharmony_ci 158c2ecf20Sopenharmony_ci If you are unsure how to answer this question, answer N. 16