Manual pages: setpriv.1: warn users of restrictions on capability changes

The kernel imposes various restrictions on the changes that can be
made to the inheritable, ambient, and bounding sets. Warn the user
about that.

Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>

diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1
index 3794a917e93462b534deed592032085943923769..42d1a2fb9109a033ecf59152a9832a8b43e4525c 100644 (file)
--- a/sys-utils/setpriv.1
+++ b/sys-utils/setpriv.1
@@ -65,6 +65,22 @@ the current ambient set for
 and the current bounding set for
 .BR \-\-bounding\-set .
 .IP
+Note the following restrictions (detailed in
+.BR capabilities (7))
+regarding modifications to these capability sets:
+.RS
+.IP * 2
+A capability can be added to the inheritable set only if it is
+currently present in the bounding set.
+.IP *
+A capability can be added to the ambient set only if it is currently
+present in both the permitted and inheritable sets.
+.IP *
+Notwithstanding the syntax offered by
+.BR setpriv ,
+the kernel does not permit capabilities to be added to the bounding set.
+.RE
+.IP
 If you drop a capability from the bounding set without also dropping it from the
 inheritable set, you are likely to become confused.  Do not do that.
 .TP