user_namespaces.7: Describe the effect of file-related capabilities inside use namespaces

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7
index f8dbc8217e0c0fd09afba8d740347fdc207455cc..1d4d68460caf32406713980c6f13ac3d3a98337d 100644 (file)
--- a/man7/user_namespaces.7
+++ b/man7/user_namespaces.7
@@ -878,6 +878,42 @@ the permissions that the process has on the file.
 .\"
 .\" ============================================================
 .\"
+.SS Operation of file-related capabilities
+.PP
+Certain capabilities allow a process to bypass various
+kernel-enforced restrictions when performing operations on
+files owned by other users or groups.
+These capabilities are:
+.BR CAP_CHOWN ,
+.BR CAP_DAC_OVERRIDE ,
+.BR CAP_DAC_READ_SEARCH ,
+.BR CAP_FOWNER ,
+and
+.BR CAP_FSETID .
+.PP
+Within a user namespace,
+these capabilities allow a process to bypass the rules
+if the process has the relevant capability over the file,
+meaning that:
+.IP * 3
+the process has the relevant effective capability in its user namespace; and
+.IP *
+the file's user ID and group ID both have valid mappings
+in the user namespace.
+.PP
+The
+.BR CAP_FOWNER
+capability is treated somewhat exceptionally:
+most of the checks that it governs can be bypassed so long as
+just the file's user ID has a mapping in the user namespace
+.\" These are the checks performed by the kernel function
+.\" inode_owner_or_capable(). There is one exception to the exception:
+.\" overriding the directory sticky permission bit requires that
+.\" the file has a valid mapping for both its UID and GID.
+(i.e., the file's group ID does not need to have a valid mapping).
+.\"
+.\" ============================================================
+.\"
 .SS Set-user-ID and set-group-ID programs
 .PP
 When a process inside a user namespace executes