capabilities.7: Improve the discussion of when file capabilities are ignored

The text stated that the execve() capability transitions are not performed for the same reasons that setuid and setgid mode bits may be ignored (as described in execve(2)). But, that's not quite correct: rather, the file capability sets are treated as empty for the purpose of the capability transition calculations. Also merge the new 'no_file_caps' kernel option text into the same paragraph. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2019-02-12 10:29:21 +01:00 · 2019-02-12 10:29:21 +01:00 · 1a9ed17c9e
parent f6acfeb8f8
commit 1a9ed17c9e
1 changed files with 4 additions and 7 deletions
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@ -1129,16 +1129,13 @@ in the same manner as shown above for
 .IR P(bounding) .
 .PP
 .IR Note :
-the capability transitions described above may
-.I not
-be performed (i.e., file capabilities may be ignored) for the same reasons
+during the capability transitions described above,
+file capabilities may be ignored (treated as empty) for the same reasons
 that the set-user-ID and set-group-ID bits are ignored; see
 .BR execve (2).
-.IR Note :
-if the kernel was booted with the
+File capabilities are similarly ignored if the kernel was booted with the
 .I no_file_caps
-option, then file capabilities are ignored (treated as empty)
-during the capability transitions described above.
+option.
 .PP
 .IR Note :
 according to the rules above,