LSM: Signal to SafeSetID when setting group IDs

/**

 * ns_capable_setid - Determine if the current task has a superior capability

 * in effect, while signalling that this check is being done from within a

 * setid syscall.

 * setid or setgroups syscall.

 * @ns:  The usernamespace we want the capability in

 * @cap: The capability to be tested for

 *

{

	struct user_namespace *user_ns = current_user_ns();

	return ns_capable(user_ns, CAP_SETGID) &&

	return ns_capable_setid(user_ns, CAP_SETGID) &&

		userns_may_setgroups(user_ns);

}

	if (rgid != (gid_t) -1) {

		if (gid_eq(old->gid, krgid) ||

		    gid_eq(old->egid, krgid) ||

		    ns_capable(old->user_ns, CAP_SETGID))

		    ns_capable_setid(old->user_ns, CAP_SETGID))

			new->gid = krgid;

		else

			goto error;

		if (gid_eq(old->gid, kegid) ||

		    gid_eq(old->egid, kegid) ||

		    gid_eq(old->sgid, kegid) ||

		    ns_capable(old->user_ns, CAP_SETGID))

		    ns_capable_setid(old->user_ns, CAP_SETGID))

			new->egid = kegid;

		else

			goto error;

	old = current_cred();

	retval = -EPERM;

	if (ns_capable(old->user_ns, CAP_SETGID))

	if (ns_capable_setid(old->user_ns, CAP_SETGID))

		new->gid = new->egid = new->sgid = new->fsgid = kgid;

	else if (gid_eq(kgid, old->gid) || gid_eq(kgid, old->sgid))

		new->egid = new->fsgid = kgid;

	old = current_cred();

	retval = -EPERM;

	if (!ns_capable(old->user_ns, CAP_SETGID)) {

	if (!ns_capable_setid(old->user_ns, CAP_SETGID)) {

		if (rgid != (gid_t) -1        && !gid_eq(krgid, old->gid) &&

		    !gid_eq(krgid, old->egid) && !gid_eq(krgid, old->sgid))

			goto error;

	if (gid_eq(kgid, old->gid)  || gid_eq(kgid, old->egid)  ||

	    gid_eq(kgid, old->sgid) || gid_eq(kgid, old->fsgid) ||

	    ns_capable(old->user_ns, CAP_SETGID)) {

	    ns_capable_setid(old->user_ns, CAP_SETGID)) {

		if (!gid_eq(kgid, old->fsgid)) {

			new->fsgid = kgid;

			if (security_task_fix_setgid(new,old,LSM_SETID_FS) == 0)