From 7ea1c45ebdd1314de54d2a2d095e5744aa3eaa5b Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Tue, 21 Jun 2016 09:49:32 +0200
Subject: [PATCH] user_namespaces.7: Describe a concrete example of capability
 checking

Add a concrete example of how the kernel checks capabilities in
an associated user namespace when a process attempts a privileged
operation.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/user_namespaces.7 | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index 6ee498354..1a12f68d3 100644
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -252,6 +252,15 @@ privileged operations that operate on global
 resources isolated by the namespace,
 the permission checks are performed according to the process's capabilities
 in the user namespace that the kernel associated with the new namespace.
+For example, suppose that a process attempts to change the hostname
+.RB ( sethostname (2)),
+a resource governed by the UTS namespace.
+In this case,
+the kernel will determine which user namespace is associated with
+the process's UTS namespace, and check whether the process has the
+required capability
+.RB ( CAP_SYS_ADMIN )
+in that user namespace.
 .\"
 .\" ============================================================
 .\"