[PATCH v5 1/2] LSM: SafeSetID: gate setgid transitions

James Morris jmorris at namei.org
Fri Mar 29 18:06:37 UTC 2019

On Tue, 5 Mar 2019, mortonm at chromium.org wrote:

> From: Micah Morton <mortonm at chromium.org>
> This patch generalizes the 'task_fix_setuid' LSM hook to enable hooking
> setgid transitions as well as setuid transitions. The hook is renamed to
> 'task_fix_setid'. The patch introduces calls to this hook from the
> setgid functions in kernel/sys.c. This will allow the SafeSetID LSM to
> govern setgid transitions in addition to setuid transitions. This patch
> also makes sure the setgid functions in kernel/sys.c call
> security_capable_setid rather than the ordinary security_capable
> function, so that the security_capable hook in the SafeSetID LSM knows
> it is being invoked from a setid function.
> Signed-off-by: Micah Morton <mortonm at chromium.org>

Wondering if there are any further comments or reviews for this before it 
is merged?

James Morris
<jmorris at namei.org>

More information about the Linux-security-module-archive mailing list