kernel/linux.git/Documentation/admin-guide/LSM/SafeSetID.rst, branch v6.12.80

docs: SafeSetID: fix a warning

2020-10-28T17:42:02+00:00

As reported by Sphinx 2.4.4: docs/Documentation/admin-guide/LSM/SafeSetID.rst:110: WARNING: Title underline too short. Note on GID policies and setgroups() ================== Signed-off-by: Mauro Carvalho Chehab Link: https://lore.kernel.org/r/4afa281c170daabd1ce522653d5d5d5078ebd92c.1603791716.git.mchehab+huawei@kernel.org Signed-off-by: Jonathan Corbet

LSM: SafeSetID: Add GID security policy handling

2020-10-13T16:17:35+00:00

The SafeSetID LSM has functionality for restricting setuid() calls based on its configured security policies. This patch adds the analogous functionality for setgid() calls. This is mostly a copy-and-paste change with some code deduplication, plus slight modifications/name changes to the policy-rule-related structs (now contain GID rules in addition to the UID ones) and some type generalization since SafeSetID now needs to deal with kgid_t and kuid_t types. Signed-off-by: Thomas Cedeno Signed-off-by: Micah Morton

docs: SafeSetID.rst: Remove spurious '???' characters

2019-10-11T15:58:38+00:00

It appears that some smart quotes were changed to "???" by even smarter software; change them to the dumb but legible variety. Signed-off-by: Christian Kujau Signed-off-by: Jonathan Corbet

LSM: add SafeSetID module that gates setid calls

2019-01-25T19:22:45+00:00

SafeSetID gates the setid family of syscalls to restrict UID/GID transitions from a given UID/GID to only those approved by a system-wide whitelist. These restrictions also prohibit the given UIDs/GIDs from obtaining auxiliary privileges associated with CAP_SET{U/G}ID, such as allowing a user to set up user namespace UID mappings. For now, only gating the set*uid family of syscalls is supported, with support for set*gid coming in a future patch set. Signed-off-by: Micah Morton Acked-by: Kees Cook Signed-off-by: James Morris