capabilities.7, user_namespaces.7: Describe CAP_SETFCAP

mtk: The kernel commit message is quite enlihtening: commit db2e718a47984b9d71ed890eb2ea36ecf150de18 Author: Serge E. Hallyn <serge@hallyn.com> Date: Tue Apr 20 08:43:34 2021 -0500 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2021-07-28 22:19:50 +02:00 · 2021-07-28 22:19:50 +02:00 · 29c1f3cf96
parent 76dec7bbd4
commit 29c1f3cf96
2 changed files with 12 additions and 0 deletions
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@ -349,6 +349,12 @@ write a group ID mapping in a user namespace (see
 .TP
 .BR CAP_SETFCAP " (since Linux 2.6.24)"
 Set arbitrary capabilities on a file.
+.IP
+.\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18
+Since Linux 5.12, this capability is
+also needed to map uid 0 (as in
+.BR unshare\ -Ur ,
+.RB see unshare (1).
 .TP
 .B CAP_SETPCAP
 If file capabilities are supported (i.e., since Linux 2.6.24):
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@ -577,6 +577,12 @@ or be in the parent user namespace of the process
 The mapped user IDs (group IDs) must in turn have a mapping
 in the parent user namespace.
 .IP 4.
+.\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18
+If a writing process is root (i.e. UID 0) trying to map host user ID 0,
+it must have
+.B CAP_SETFCAP
+capability (since Linux 5.12).
+.IP 5.
 One of the following two cases applies:
 .RS
 .IP * 3