162306a36Sopenharmony_ci# SPDX-License-Identifier: GPL-2.0-only
262306a36Sopenharmony_ciconfig SECURITY_SAFESETID
362306a36Sopenharmony_ci        bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities"
462306a36Sopenharmony_ci        depends on SECURITY
562306a36Sopenharmony_ci        select SECURITYFS
662306a36Sopenharmony_ci        default n
762306a36Sopenharmony_ci        help
862306a36Sopenharmony_ci          SafeSetID is an LSM module that gates the setid family of syscalls to
962306a36Sopenharmony_ci          restrict UID/GID transitions from a given UID/GID to only those
1062306a36Sopenharmony_ci          approved by a system-wide whitelist. These restrictions also prohibit
1162306a36Sopenharmony_ci          the given UIDs/GIDs from obtaining auxiliary privileges associated
1262306a36Sopenharmony_ci          with CAP_SET{U/G}ID, such as allowing a user to set up user namespace
1362306a36Sopenharmony_ci          UID mappings.
1462306a36Sopenharmony_ci
1562306a36Sopenharmony_ci          If you are unsure how to answer this question, answer N.
16