proc.5: Tweak's to Eric Biederman's patch

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man5/proc.5

@@ -1216,26 +1216,32 @@ are not available if the main thread has already terminated
 .\"
 This file displays the string
 .RI \(dq allow \(dq
-if the
+if processes in the user namespace that contains the process
+.I pid
+are permitted to employ the
 .BR setgroups (2)
-system call is permitted in the process's user namespace, and
+system call, and
 .RI \(dq deny \(dq
 if
 .BR setgroups (2)
-is not permitted.
+is not permitted in that user namespace.
+
 A privileged process (one with the
 .BR CAP_SYS_ADMIN
-capability in the namespace)
-.\" Should it be "parent namespace" in the line above?
-may write either of the strings
+capability in the namespace) may write either of the strings
 .RI \(dq allow \(dq
 or
 .RI \(dq deny \(dq
 to this file before writing a group ID mapping
 for this user namespace to the file
 .IR /proc/[pid]/gid_map .
-The default value of this file in the initial user namesapce is
-.RI " allow ".
+Writing the string
+.RI \(dq deny \(dq
+prevents any process in the user namespace from employing
+.BR setgroups (2).
+
+The default value of this file in the initial user namespace is
+.RI \(dq allow \(dq.
 
 Once
 .IR /proc/[pid]/gid_map
@@ -1255,7 +1261,7 @@ setting from its parent.
 If the
 .I setgroups
 file has the value
-.IR \(dq deny \(dq,
+.RI \(dq deny \(dq,
 then the
 .BR setgroups (2)
 system call can't subsequently be reenabled (by writing