From: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
Date: Fri, 12 Jun 2020 11:19:33 +0000 (+0200)
Subject: Manual pages: setpriv.1: warn users of restrictions on capability changes
X-Git-Tag: v2.36-rc2~51
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d651a1baa9c24150293950b10817f92922e62513;p=thirdparty%2Futil-linux.git

Manual pages: setpriv.1: warn users of restrictions on capability changes

The kernel imposes various restrictions on the changes that can be
made to the inheritable, ambient, and bounding sets. Warn the user
about that.

Signed-off-by: Michael Kerrisk (man-pages) <mtk.manpages@gmail.com>
---

diff --git a/sys-utils/setpriv.1 b/sys-utils/setpriv.1
index 3794a917e9..42d1a2fb91 100644
--- a/sys-utils/setpriv.1
+++ b/sys-utils/setpriv.1
@@ -65,6 +65,22 @@ the current ambient set for
 and the current bounding set for
 .BR \-\-bounding\-set .
 .IP
+Note the following restrictions (detailed in
+.BR capabilities (7))
+regarding modifications to these capability sets:
+.RS
+.IP * 2
+A capability can be added to the inheritable set only if it is
+currently present in the bounding set.
+.IP *
+A capability can be added to the ambient set only if it is currently
+present in both the permitted and inheritable sets.
+.IP *
+Notwithstanding the syntax offered by
+.BR setpriv ,
+the kernel does not permit capabilities to be added to the bounding set.
+.RE
+.IP
 If you drop a capability from the bounding set without also dropping it from the
 inheritable set, you are likely to become confused.  Do not do that.
 .TP