From 1a9ed17c9eb3856c8255fcd7117c6093de6d7616 Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Tue, 12 Feb 2019 10:29:21 +0100
Subject: [PATCH] capabilities.7: Improve the discussion of when file
 capabilities are ignored

The text stated that the execve() capability transitions are not
performed for the same reasons that setuid and setgid mode bits
may be ignored (as described in execve(2)). But, that's not quite
correct: rather, the file capability sets are treated as empty
for the purpose of the capability transition calculations.

Also merge the new 'no_file_caps' kernel option text into the
same paragraph.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/capabilities.7 | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 44b6d6079..07dd26b7c 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -1129,16 +1129,13 @@ in the same manner as shown above for
 .IR P(bounding) .
 .PP
 .IR Note :
-the capability transitions described above may
-.I not
-be performed (i.e., file capabilities may be ignored) for the same reasons
+during the capability transitions described above,
+file capabilities may be ignored (treated as empty) for the same reasons
 that the set-user-ID and set-group-ID bits are ignored; see
 .BR execve (2).
-.IR Note :
-if the kernel was booted with the
+File capabilities are similarly ignored if the kernel was booted with the
 .I no_file_caps
-option, then file capabilities are ignored (treated as empty)
-during the capability transitions described above.
+option.
 .PP
 .IR Note :
 according to the rules above,