From 9c5b11bf42165181f637415b9c5716769c25b123 Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Thu, 14 Feb 2019 11:09:50 +0100
Subject: [PATCH] capabilities.7: Add a subsection on per-user-namespace
 "set-user-ID-root" programs

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/capabilities.7 | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 686e31996c..2985aca400 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -1583,6 +1583,23 @@ prctl(PR_SET_SECUREBITS,
 .in
 .\"
 .\"
+.SS Per-user-namespace """set-user-ID-root""" programs
+A set-user-ID program whose UID matches the UID that
+created a user namespace will confer capabilities
+in the process's permitted and effective sets
+when executed by any process inside that namespace
+or any descendant user namespace.
+.PP
+The rules about the transformation of the process's capabilities during the
+.BR execve (2)
+are exactly as described in the subsections
+.IR "Transformation of capabilities during execve()"
+and
+.IR "Capabilities and execution of programs by root" ,
+with the difference that, in the latter subsection, "root"
+is the UID of the creator of the user namespace.
+.\"
+.\"
 .SS Namespaced file capabilities
 .\" commit 8db6c34f1dbc8e06aa016a9b829b06902c3e1340
 Traditional (i.e., version 2) file capabilities associate
-- 
2.39.2