capabilities.7: Under CAP_SYS_ADMIN, group "sub-capabilities" together

CAP_BPF, CAP_PERFMON, and CAP_CHECKPOINT_RESTORE have all been added to split out the power of CAP_SYS_ADMIN into weaker pieces. Group all of these capabilities together in the list under CAP_SYS_ADMIN, to make it clear that there is a pattern to these capabilities. Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
2020-10-27 13:54:22 +01:00 · 2020-10-27 13:54:22 +01:00 · 2fbfb575b8
parent 045c5bde77
commit 2fbfb575b8
1 changed files with 10 additions and 7 deletions
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@ -415,6 +415,16 @@ access the same checkpoint/restore functionality that is governed by
 (but the latter, weaker capability is preferred for accessing
 that functionality).
 .IP *
+perform the same BPF operations as are governed by
+.BR CAP_BPF
+(but the latter, weaker capability is preferred for accessing
+that functionality).
+.IP *
+employ the same performance monitoring mechanisms as are governed by
+.BR CAP_PERFMON
+(but the latter, weaker capability is preferred for accessing
+that functionality).
+.IP *
 perform
 .B IPC_SET
 and
@ -463,9 +473,6 @@ and
 (but, since Linux 3.8,
 creating user namespaces does not require any capability);
 .IP *
-employ various performance monitoring mechanisms (as for
-.BR CAP_PERFMON );
-.IP *
 access privileged
 .I perf
 event information;
@ -481,10 +488,6 @@ namespace);
 call
 .BR fanotify_init (2);
 .IP *
-perform various BPF operations;
-see
-.BR CAP_BPF ;
-.IP *
 perform privileged
 .B KEYCTL_CHOWN
 and