From 36de80b984943653a475046028b888ae15e8d148 Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Tue, 1 May 2018 12:54:28 +0200
Subject: [PATCH] capabilities.7: Add text introducing bounding set along with
 other thread capability sets

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/capabilities.7 | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 6db7edf1d..a3d5849ec 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -838,6 +838,18 @@ ambient capabilities, described below.
 This is the set of capabilities used by the kernel to
 perform permission checks for the thread.
 .TP
+.IR Bounding " (per-thread since Linux 2.6.25)"
+The capability bounding set is a mechanism that can be used
+to limit the capabilities that are gained during
+.BR execve (2).
+.IP
+Since Linux 2.6.25, this is a per-thread capability set.
+In older kernels, the capability bounding set was a system wide attribute
+shared by all threads on the system.
+.IP
+.IP
+For more details on the capability bounding set, see below.
+.TP
 .IR Ambient " (since Linux 4.3):"
 .\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08
 This is a set of capabilities that are preserved across an