From 29c1f3cf960495be9659486e194539f107ad03b5 Mon Sep 17 00:00:00 2001
From: Kir Kolyshkin <kolyshkin@gmail.com>
Date: Wed, 28 Jul 2021 22:19:50 +0200
Subject: [PATCH] capabilities.7, user_namespaces.7: Describe CAP_SETFCAP

mtk: The kernel commit message is quite enlihtening:

    commit db2e718a47984b9d71ed890eb2ea36ecf150de18
    Author: Serge E. Hallyn <serge@hallyn.com>
    Date:   Tue Apr 20 08:43:34 2021 -0500

Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com>
Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com>
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/capabilities.7    | 6 ++++++
 man7/user_namespaces.7 | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 9f8f0087f..2f9c9a61e 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -349,6 +349,12 @@ write a group ID mapping in a user namespace (see
 .TP
 .BR CAP_SETFCAP " (since Linux 2.6.24)"
 Set arbitrary capabilities on a file.
+.IP
+.\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18
+Since Linux 5.12, this capability is
+also needed to map uid 0 (as in
+.BR unshare\ -Ur ,
+.RB see unshare (1).
 .TP
 .B CAP_SETPCAP
 If file capabilities are supported (i.e., since Linux 2.6.24):
diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 518e7a3bb..3378b6057 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -577,6 +577,12 @@ or be in the parent user namespace of the process
 The mapped user IDs (group IDs) must in turn have a mapping
 in the parent user namespace.
 .IP 4.
+.\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18
+If a writing process is root (i.e. UID 0) trying to map host user ID 0,
+it must have
+.B CAP_SETFCAP
+capability (since Linux 5.12).
+.IP 5.
 One of the following two cases applies:
 .RS
 .IP * 3