[PATCH 1/2] LSM: Signal to SafeSetID when in set*gid syscall
James Morris
jmorris at namei.org
Mon Jul 27 18:44:18 UTC 2020
On Mon, 20 Jul 2020, Micah Morton wrote:
> From: Thomas Cedeno <thomascedeno at google.com>
>
> For SafeSetID to properly gate set*gid() calls, it needs to know whether
> ns_capable() is being called from within a sys_set*gid() function or is
> being called from elsewhere in the kernel. This allows SafeSetID to deny
> CAP_SETGID to restricted groups when they are attempting to use the
> capability for code paths other than updating GIDs (e.g. setting up
> userns GID mappings). This is the identical approach to what is
> currently done for CAP_SETUID.
>
> Signed-off-by: Thomas Cedeno <thomascedeno at google.com>
> Signed-off-by: Micah Morton <mortonm at chromium.org>
Acked-by: James Morris <jamorris at linux.microsoft.com>
--
James Morris
<jmorris at namei.org>
More information about the Linux-security-module-archive
mailing list