capabilities.7: ffix

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/capabilities.7

@@ -60,7 +60,7 @@ Privileged processes bypass all kernel permission checks,
 while unprivileged processes are subject to full permission
 checking based on the process's credentials
 (usually: effective UID, effective GID, and supplementary group list).
-
+.PP
 Starting with kernel 2.2, Linux divides the privileges traditionally
 associated with superuser into distinct units, known as
 .IR capabilities ,
@@ -284,7 +284,7 @@ is not available when the kernel is configured to support
 file capabilities, since
 .B CAP_SETPCAP
 has entirely different semantics for such kernels.)
-
+.IP
 If file capabilities are supported:
 add any capability from the calling thread's bounding set
 to its inheritable set;
@@ -318,7 +318,7 @@ write a user ID mapping in a user namespace (see
 this capability is overloaded; see
 .IR "Notes to kernel developers" ,
 below.
-
+.IP
 .PD 0
 .RS
 .IP * 2
@@ -816,7 +816,7 @@ It is also a limiting superset for the capabilities that
 may be added to the inheritable set by a thread that does not have the
 .B CAP_SETPCAP
 capability in its effective set.
-
+.IP
 If a thread drops a capability from its permitted set,
 it can never reacquire that capability (unless it
 .BR execve (2)s
@@ -847,12 +847,12 @@ This is a set of capabilities that are preserved across an
 of a program that is not privileged.
 The ambient capability set obeys the invariant that no capability
 can ever be ambient if it is not both permitted and inheritable.
-
+.IP
 The ambient capability set can be directly modified using
 .BR prctl (2).
 Ambient capabilities are automatically lowered if either of
 the corresponding permitted or inheritable capabilities is lowered.
-
+.IP
 Executing a program that changes UID or GID due to the
 set-user-ID or set-group-ID bits or executing a program that has
 any file capabilities set will clear the ambient set.
@@ -894,7 +894,7 @@ The file capability sets,
 in conjunction with the capability sets of the thread,
 determine the capabilities of a thread after an
 .BR execve (2).
-
+.PP
 The three file capability sets are:
 .TP
 .IR Permitted " (formerly known as " forced ):
@@ -916,7 +916,7 @@ also raised in the effective set.
 If this bit is not set, then after an
 .BR execve (2),
 none of the new permitted capabilities is in the new effective set.
-
+.IP
 Enabling the file effective capability bit implies
 that any file permitted or inheritable capability that causes a
 thread to acquire the corresponding permitted capability during an
@@ -938,9 +938,9 @@ During an
 .BR execve (2),
 the kernel calculates the new capabilities of
 the process using the following algorithm:
+.PP
 .in +4n
 .nf
-
 P'(ambient)     = (file is privileged) ? 0 : P(ambient)
 
 P'(permitted)   = (P(inheritable) & F(inheritable)) |
@@ -949,9 +949,9 @@ P'(permitted)   = (P(inheritable) & F(inheritable)) |
 P'(effective)   = F(effective) ? P'(permitted) : P'(ambient)
 
 P'(inheritable) = P(inheritable)    [i.e., unchanged]
-
 .fi
 .in
+.PP
 where:
 .RS 4
 .IP P 10
@@ -968,14 +968,14 @@ is the value of the capability bounding set (described below).
 .PP
 A privileged file is one that has capabilities or
 has the set-user-ID or set-group-ID bit set.
-
+.PP
 .IR Note :
 the capability transitions described above may
 .I not
 be performed (i.e., file capabilities may be ignored) for the same reasons
 that the set-user-ID and set-group-ID bits are ignored; see
 .BR execve (2).
-
+.PP
 .IR Note :
 according to the rules above,
 if a process with nonzero user IDs performs an
@@ -1002,7 +1002,7 @@ so that the file permitted capabilities are automatically
 enabled in the process effective set when executing the file.
 The kernel recognizes a file which has the effective capability bit set
 as capability-dumb for the purpose of the check described here.
-
+.PP
 When executing a capability-dumb binary,
 the kernel checks if the process obtained all permitted capabilities
 that were specified in the file permitted set,
@@ -1119,14 +1119,14 @@ The bounding set is accessible via the file
 (Confusingly, this bit mask parameter is expressed as a
 signed decimal number in
 .IR /proc/sys/kernel/cap-bound .)
-
+.PP
 Only the
 .B init
 process may set capabilities in the capability bounding set;
 other than that, the superuser (more precisely: programs with the
 .B CAP_SYS_MODULE
 capability) may only clear capabilities from this set.
-
+.PP
 On a standard system the capability bounding set always masks out the
 .B CAP_SETPCAP
 capability.
@@ -1135,7 +1135,7 @@ To remove this restriction (dangerous!), modify the definition of
 in
 .I include/linux/capability.h
 and rebuild the kernel.
-
+.PP
 The system-wide capability bounding set feature was added
 to Linux starting with kernel version 2.2.11.
 .\"
@@ -1146,12 +1146,12 @@ From Linux 2.6.25, the
 .I "capability bounding set"
 is a per-thread attribute.
 (There is no longer a system-wide capability bounding set.)
-
+.PP
 The bounding set is inherited at
 .BR fork (2)
 from the thread's parent, and is preserved across an
 .BR execve (2).
-
+.PP
 A thread may remove capabilities from its capability bounding set using the
 .BR prctl (2)
 .B PR_CAPBSET_DROP
@@ -1164,7 +1164,7 @@ A thread can determine if a capability is in its bounding set using the
 .BR prctl (2)
 .B PR_CAPBSET_READ
 operation.
-
+.PP
 Removing capabilities from the bounding set is supported only if file
 capabilities are compiled into the kernel.
 In kernels before Linux 2.6.33,
@@ -1184,7 +1184,7 @@ begins with a full bounding set minus
 .BR CAP_SETPCAP ,
 because this capability has a different meaning when there are
 no file capabilities.
-
+.PP
 Removing a capability from the bounding set does not remove it
 from the thread's inherited set.
 However it does prevent the capability from being added
@@ -1338,7 +1338,7 @@ operations.
 The
 .B CAP_SETPCAP
 capability is required to modify the flags.
-
+.PP
 The
 .I securebits
 flags are inherited by child processes.
@@ -1347,14 +1347,14 @@ During an
 all of the flags are preserved, except
 .B SECBIT_KEEP_CAPS
 which is always cleared.
-
+.PP
 An application can use the following call to lock itself,
 and all of its descendants,
 into an environment where the only way of gaining capabilities
 is by executing a program with associated file capabilities:
+.PP
 .in +4n
 .nf
-
 prctl(PR_SET_SECUREBITS,
 	/* SECBIT_KEEP_CAPS off */
         SECBIT_KEEP_CAPS_LOCKED |
@@ -1383,7 +1383,7 @@ capabilities were an optional kernel component,
 and could be enabled/disabled via the
 .B CONFIG_SECURITY_CAPABILITIES
 kernel configuration option.
-
+.PP
 The
 .I /proc/[pid]/task/TID/status
 file can be used to view the capability sets of a thread.
@@ -1397,7 +1397,7 @@ Since Linux 3.8,
 all nonexistent capabilities (above
 .BR CAP_LAST_CAP )
 are shown as disabled (0).
-
+.PP
 The
 .I libcap
 package provides a suite of routines for setting and
@@ -1415,7 +1415,7 @@ It can be found at
 .br
 .UR http://www.kernel.org\:/pub\:/linux\:/libs\:/security\:/linux\-privs
 .UE .
-
+.PP
 Before kernel 2.6.24, and from kernel 2.6.24 to kernel 2.6.32 if
 file capabilities are not enabled, a thread with the
 .B CAP_SETPCAP