security/safesetid/Kconfig
Source file repositories/reference/linux-study-clean/security/safesetid/Kconfig
File Facts
- System
- Linux kernel
- Corpus path
security/safesetid/Kconfig- Extension
[no extension]- Size
- 709 bytes
- Lines
- 16
- Domain
- Core OS
- Bucket
- Security And Isolation
- Inferred role
- Core OS: build/configuration rule
- Status
- atlas-only
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
Dependency Surface
- No C-style include directives detected by the generator.
Detected Declarations
- No top-level syscall, struct, function, initcall, or export declaration detected by the generator.
Annotated Snippet
# SPDX-License-Identifier: GPL-2.0-only
config SECURITY_SAFESETID
bool "Gate setid transitions to limit CAP_SET{U/G}ID capabilities"
depends on SECURITY
select SECURITYFS
default n
help
SafeSetID is an LSM module that gates the setid family of syscalls to
restrict UID/GID transitions from a given UID/GID to only those
approved by a system-wide whitelist. These restrictions also prohibit
the given UIDs/GIDs from obtaining auxiliary privileges associated
with CAP_SET{U/G}ID, such as allowing a user to set up user namespace
UID mappings.
If you are unsure how to answer this question, answer N.
Annotation
- Atlas domain: Core OS / Security And Isolation.
- Implementation status: atlas-only.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.