mirror of https://github.com/mkerrisk/man-pages
capabilities.7, user_namespaces.7: Describe CAP_SETFCAP
mtk: The kernel commit message is quite enlihtening: commit db2e718a47984b9d71ed890eb2ea36ecf150de18 Author: Serge E. Hallyn <serge@hallyn.com> Date: Tue Apr 20 08:43:34 2021 -0500 Signed-off-by: Kir Kolyshkin <kolyshkin@gmail.com> Signed-off-by: Alejandro Colomar <alx.manpages@gmail.com> Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
76dec7bbd4
commit
29c1f3cf96
|
@ -349,6 +349,12 @@ write a group ID mapping in a user namespace (see
|
||||||
.TP
|
.TP
|
||||||
.BR CAP_SETFCAP " (since Linux 2.6.24)"
|
.BR CAP_SETFCAP " (since Linux 2.6.24)"
|
||||||
Set arbitrary capabilities on a file.
|
Set arbitrary capabilities on a file.
|
||||||
|
.IP
|
||||||
|
.\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18
|
||||||
|
Since Linux 5.12, this capability is
|
||||||
|
also needed to map uid 0 (as in
|
||||||
|
.BR unshare\ -Ur ,
|
||||||
|
.RB see unshare (1).
|
||||||
.TP
|
.TP
|
||||||
.B CAP_SETPCAP
|
.B CAP_SETPCAP
|
||||||
If file capabilities are supported (i.e., since Linux 2.6.24):
|
If file capabilities are supported (i.e., since Linux 2.6.24):
|
||||||
|
|
|
@ -577,6 +577,12 @@ or be in the parent user namespace of the process
|
||||||
The mapped user IDs (group IDs) must in turn have a mapping
|
The mapped user IDs (group IDs) must in turn have a mapping
|
||||||
in the parent user namespace.
|
in the parent user namespace.
|
||||||
.IP 4.
|
.IP 4.
|
||||||
|
.\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18
|
||||||
|
If a writing process is root (i.e. UID 0) trying to map host user ID 0,
|
||||||
|
it must have
|
||||||
|
.B CAP_SETFCAP
|
||||||
|
capability (since Linux 5.12).
|
||||||
|
.IP 5.
|
||||||
One of the following two cases applies:
|
One of the following two cases applies:
|
||||||
.RS
|
.RS
|
||||||
.IP * 3
|
.IP * 3
|
||||||
|
|
Loading…
Reference in New Issue