capabilities.7: Describe file capability versioning

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

man7/capabilities.7

@@ -932,6 +932,40 @@ then the effective flag must also be specified as enabled
 for all other capabilities for which the corresponding permitted or
 inheritable flags is enabled.
 .\"
+.SS File capability version numbering
+To allow extensibility,
+the kernel supports a scheme to encode a version number inside the
+.I security.capability
+extended attribute that is used to implement file capabilities.
+These version numbers are internal to the implementation,
+and not directly visible to user-space applications.
+To date, the following versions are supported:
+.TP
+.BR VFS_CAP_REVISION_1
+This was the original file capability implementation,
+which supported 32-bit masks for file capabilities.
+.TP
+.BR VFS_CAP_REVISION_2 " (since Linux 2.6.25)"
+.\" commit e338d263a76af78fe8f38a72131188b58fceb591
+This version allows for file capability masks that are 64 bits in size,
+and was necessary as the number of supported capabilities grew beyond 32.
+The kernel transparently continues to support the execution of files
+that have 32-bit version 1 capability masks,
+but when adding capabilities to files that did not previously
+have capabilities, or modifying the capabilities of existing files,
+it automatically uses the version 2 scheme.
+.TP
+.BR VFS_CAP_REVISION_3 " (since Linux 4.14)"
+.\" commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340
+Version 3 file capabilities are designed to coexist
+with version 2 capabilities, but serve a different purpose:
+to support namespaced file capabilities.
+As with version 2 file capabilities,
+the capability masks are 64 bits in size.
+In addition, the namespace root user ID is encoded in the
+.I security.capability
+extended attribute.
+.\"
 .SS Transformation of capabilities during execve()
 .PP
 During an