capabilities.7: Fix some imprecisions in discussion of namespaced file capabilities

The file UID does not come into play when creating a v3 security.capability extended attribute. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2018-07-01 11:40:26 +02:00 · 2018-07-01 11:40:26 +02:00 · 00ae99b028
parent 9b2c207a33
commit 00ae99b028
1 changed files with 5 additions and 9 deletions
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@ -1532,17 +1532,13 @@ Namespaced file capabilities are recorded as version 3 (i.e.,
 .BR VFS_CAP_REVISION_3 )
 .I security.capability
 extended attributes.
-Such an attribute is automatically created when a process that resides
-in a noninitial user namespace associates
-.RB ( setxattr (2))
-file capabilities with a file whose user ID matches
-the user ID of the creator of the namespace.
-In this case,
+Such an attribute is automatically created in the circumstances described
+above under "File capability extended attribute versioning".
+When a version 3
+.I security.capability
+extended attribute is created,
 the kernel records not just the capability masks in the extended attribute,
 but also the namespace root user ID.
-For further details, see
-.IR "File capability mask versioning" ,
-above.
 .PP
 As with a binary that has
 .BR VFS_CAP_REVISION_2