145  * Check whether a caller with old credentials @old is allowed to switch to
148 static bool id_permitted_for_cred(const struct cred *old, kid_t new_id, enum setid_type new_type)  in id_permitted_for_cred()  argument
152 	/* If our old creds already had this ID in it, it's fine. */  in id_permitted_for_cred()
154 		if (uid_eq(new_id.uid, old->uid) || uid_eq(new_id.uid, old->euid) ||  in id_permitted_for_cred()
155 			uid_eq(new_id.uid, old->suid))  in id_permitted_for_cred()
158 		if (gid_eq(new_id.gid, old->gid) || gid_eq(new_id.gid, old->egid) ||  in id_permitted_for_cred()
159 			gid_eq(new_id.gid, old->sgid))  in id_permitted_for_cred()
165 	 * Transitions to new UIDs require a check against the policy of the old  in id_permitted_for_cred()
169 	    setid_policy_lookup((kid_t){.uid = old->uid}, new_id, new_type) != SIDPOL_CONSTRAINED;  in id_permitted_for_cred()
174 				__kuid_val(old->uid), __kuid_val(old->euid),  in id_permitted_for_cred()
175 				__kuid_val(old->suid), __kuid_val(new_id.uid));  in id_permitted_for_cred()
178 				__kgid_val(old->gid), __kgid_val(old->egid),  in id_permitted_for_cred()
179 				__kgid_val(old->sgid), __kgid_val(new_id.gid));  in id_permitted_for_cred()
187  * Check whether there is either an exception for user under old cred struct to
192 				     const struct cred *old,  in safesetid_task_fix_setuid()  argument
196 	/* Do nothing if there are no setuid restrictions for our old RUID. */  in safesetid_task_fix_setuid()
197 	if (setid_policy_lookup((kid_t){.uid = old->uid}, INVALID_ID, UID) == SIDPOL_DEFAULT)  in safesetid_task_fix_setuid()
200 	if (id_permitted_for_cred(old, (kid_t){.uid = new->uid}, UID) &&  in safesetid_task_fix_setuid()
201 	    id_permitted_for_cred(old, (kid_t){.uid = new->euid}, UID) &&  in safesetid_task_fix_setuid()
202 	    id_permitted_for_cred(old, (kid_t){.uid = new->suid}, UID) &&  in safesetid_task_fix_setuid()
203 	    id_permitted_for_cred(old, (kid_t){.uid = new->fsuid}, UID))  in safesetid_task_fix_setuid()
216 				     const struct cred *old,  in safesetid_task_fix_setgid()  argument
220 	/* Do nothing if there are no setgid restrictions for our old RGID. */  in safesetid_task_fix_setgid()
221 	if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)  in safesetid_task_fix_setgid()
224 	if (id_permitted_for_cred(old, (kid_t){.gid = new->gid}, GID) &&  in safesetid_task_fix_setgid()
225 	    id_permitted_for_cred(old, (kid_t){.gid = new->egid}, GID) &&  in safesetid_task_fix_setgid()
226 	    id_permitted_for_cred(old, (kid_t){.gid = new->sgid}, GID) &&  in safesetid_task_fix_setgid()
227 	    id_permitted_for_cred(old, (kid_t){.gid = new->fsgid}, GID))  in safesetid_task_fix_setgid()
239 static int safesetid_task_fix_setgroups(struct cred *new, const struct cred *old)  in safesetid_task_fix_setgroups()  argument
243 	/* Do nothing if there are no setgid restrictions for our old RGID. */  in safesetid_task_fix_setgroups()
244 	if (setid_policy_lookup((kid_t){.gid = old->gid}, INVALID_ID, GID) == SIDPOL_DEFAULT)  in safesetid_task_fix_setgroups()
249 		if (!id_permitted_for_cred(old, (kid_t){.gid = new->group_info->gid[i]}, GID)) {  in safesetid_task_fix_setgroups()