user_namespaces.7: Note treatment of "securebits" flags

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/user_namespaces.7

@@ -105,7 +105,8 @@ Likewise, a process that creates a new user namespace using
 .BR unshare (2)
 or joins an existing user namespace using
 .BR setns (2)
-gains a full set of capabilities in that namespace.
+gains a full set of capabilities in that namespace,
+and its securebits flags are cleared.
 On the other hand,
 that process has no capabilities outside that user namespace,
 even if the new namespace is created or joined by the root user
@@ -116,6 +117,32 @@ files that are owned by user ID 0,
 and will be able to do things such as sending signals
 to processes belonging to user ID 0.)
 
+A call to 
+.BR clone (2),
+.BR unshare (2),
+or
+.BR setns (2)
+using the
+.BR CLONE_NEWUSER
+flag sets the "securebits" flags
+(see
+.BR capabilities (7))
+to their default values (all flags disabled) in the child (for
+.BR clone (2))
+or caller (for
+.BR unshare (2),
+or
+.BR setns (2)).
+Note that
+because the caller no longer has capabilities in its original user namespace
+after a call to
+.BR setns (2),
+it is not possible for a process to reset its "securebits" flags while
+retaining its user namespace membership by using a pair of
+.BR setns (2)
+calls to move to another user namespace and then return to
+its original user namespace.
+
 Having a capability inside a user namespace
 permits a process to perform operations (that require privilege)
 only on resources governed by that namespace.