.\"
.\" ============================================================
.\"
+.SS Operation of file-related capabilities
+.PP
+Certain capabilities allow a process to bypass various
+kernel-enforced restrictions when performing operations on
+files owned by other users or groups.
+These capabilities are:
+.BR CAP_CHOWN ,
+.BR CAP_DAC_OVERRIDE ,
+.BR CAP_DAC_READ_SEARCH ,
+.BR CAP_FOWNER ,
+and
+.BR CAP_FSETID .
+.PP
+Within a user namespace,
+these capabilities allow a process to bypass the rules
+if the process has the relevant capability over the file,
+meaning that:
+.IP * 3
+the process has the relevant effective capability in its user namespace; and
+.IP *
+the file's user ID and group ID both have valid mappings
+in the user namespace.
+.PP
+The
+.BR CAP_FOWNER
+capability is treated somewhat exceptionally:
+most of the checks that it governs can be bypassed so long as
+just the file's user ID has a mapping in the user namespace
+.\" These are the checks performed by the kernel function
+.\" inode_owner_or_capable(). There is one exception to the exception:
+.\" overriding the directory sticky permission bit requires that
+.\" the file has a valid mapping for both its UID and GID.
+(i.e., the file's group ID does not need to have a valid mapping).
+.\"
+.\" ============================================================
+.\"
.SS Set-user-ID and set-group-ID programs
.PP
When a process inside a user namespace executes