mirror of https://github.com/mkerrisk/man-pages
capabilities.7: Improve the discussion of when file capabilities are ignored
The text stated that the execve() capability transitions are not performed for the same reasons that setuid and setgid mode bits may be ignored (as described in execve(2)). But, that's not quite correct: rather, the file capability sets are treated as empty for the purpose of the capability transition calculations. Also merge the new 'no_file_caps' kernel option text into the same paragraph. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
Michael Kerrisk
parent
f6acfeb8f8
commit
1a9ed17c9e
|
|
@ -1129,16 +1129,13 @@ in the same manner as shown above for
|
||||||
.IR P(bounding) .
|
.IR P(bounding) .
|
||||||
.PP
|
.PP
|
||||||
.IR Note :
|
.IR Note :
|
||||||
the capability transitions described above may
|
during the capability transitions described above,
|
||||||
.I not
|
file capabilities may be ignored (treated as empty) for the same reasons
|
||||||
be performed (i.e., file capabilities may be ignored) for the same reasons
|
|
||||||
that the set-user-ID and set-group-ID bits are ignored; see
|
that the set-user-ID and set-group-ID bits are ignored; see
|
||||||
.BR execve (2).
|
.BR execve (2).
|
||||||
.IR Note :
|
File capabilities are similarly ignored if the kernel was booted with the
|
||||||
if the kernel was booted with the
|
|
||||||
.I no_file_caps
|
.I no_file_caps
|
||||||
option, then file capabilities are ignored (treated as empty)
|
option.
|
||||||
during the capability transitions described above.
|
|
||||||
.PP
|
.PP
|
||||||
.IR Note :
|
.IR Note :
|
||||||
according to the rules above,
|
according to the rules above,
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue