[PATCH v5 1/2] LSM: SafeSetID: gate setgid transitions

Casey Schaufler casey at schaufler-ca.com
Fri Mar 29 19:44:30 UTC 2019

On 3/29/2019 11:06 AM, James Morris wrote:
> On Tue, 5 Mar 2019, mortonm at chromium.org wrote:
>> From: Micah Morton <mortonm at chromium.org>
>> This patch generalizes the 'task_fix_setuid' LSM hook to enable hooking
>> setgid transitions as well as setuid transitions. The hook is renamed to
>> 'task_fix_setid'. The patch introduces calls to this hook from the
>> setgid functions in kernel/sys.c. This will allow the SafeSetID LSM to
>> govern setgid transitions in addition to setuid transitions. This patch
>> also makes sure the setgid functions in kernel/sys.c call
>> security_capable_setid rather than the ordinary security_capable
>> function, so that the security_capable hook in the SafeSetID LSM knows
>> it is being invoked from a setid function.
>> Signed-off-by: Micah Morton <mortonm at chromium.org>
> Wondering if there are any further comments or reviews for this before it
> is merged?

My comments have been addressed.

More information about the Linux-security-module-archive mailing list