capabilities.7: Add a subsection on per-user-namespace "set-user-ID-root" programs

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 686e31996c17c1fd9a4fcd80f92c1eabed0688d8..2985aca400d2f5465592d36384c1d11726d1338e 100644 (file)
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -1583,6 +1583,23 @@ prctl(PR_SET_SECUREBITS,
 .in
 .\"
 .\"
+.SS Per-user-namespace """set-user-ID-root""" programs
+A set-user-ID program whose UID matches the UID that
+created a user namespace will confer capabilities
+in the process's permitted and effective sets
+when executed by any process inside that namespace
+or any descendant user namespace.
+.PP
+The rules about the transformation of the process's capabilities during the
+.BR execve (2)
+are exactly as described in the subsections
+.IR "Transformation of capabilities during execve()"
+and
+.IR "Capabilities and execution of programs by root" ,
+with the difference that, in the latter subsection, "root"
+is the UID of the creator of the user namespace.
+.\"
+.\"
 .SS Namespaced file capabilities
 .\" commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340
 Traditional (i.e., version 2) file capabilities associate