The setuid , seteuid , setreuid , setresuid , and setfsuid calls may be used to set the user identity attributes of the calling process. The setgid , setegid , setregid , setresgid , setfsgid , and setgroups calls may be used to set the group identity attributes of the calling process. Linux permits unprivileged processes to perform certain kinds of changes to their identity attributes, such as changing the effective identity to the real identity or vice versa, or changing the effective identity to the saved identity. Linux permits more general changes in identity for processes that have the CAP_SETUID and CAP_SETGID capabilities.
These calls only affect the private state of the calling process. Furthermore, the Flask controls are not based on the Linux identity attributes. Consequently, changes in Linux identity attributes are irrelevant to the Flask security policy and do not need to be controlled by the policy. However, it may be valuable to provide Flask controls on these calls to allow the policy to confine changes in Linux identity. The Flask cap_setuid and cap_setgid permissions are checked when the corresponding capabilities are required by Linux. If it is desirable for the policy to be able to confine Linux identity changes, then new Flask permissions need to be defined to control all uses of these system calls.