From ac794195038f3753ca6bace74b13036af43bd68c Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Wed, 16 May 2018 23:04:02 +0200
Subject: [PATCH] setns.2: Note capability requirements for changing network,
 IPC, or UTS namespace

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man2/setns.2 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/man2/setns.2 b/man2/setns.2
index 03de943eb..d981e8839 100644
--- a/man2/setns.2
+++ b/man2/setns.2
@@ -173,6 +173,13 @@ Using
 .BR setns ()
 to change the caller's cgroup namespace does not change
 the caller's cgroup memberships.
+.TP
+Network, IPC, and UTS namespaces
+In order to reassociate itself with a new network, IPC, or UTS namespace,
+the calling process must have the
+.B CAP_SYS_ADMIN
+capability both in its own user namespace and in the user namespace
+that owns the target namespace.
 .SH RETURN VALUE
 On success,
 .BR setns ()