Because inheritable capabilities are not generally preserved across
.BR execve (2)
when running as a non-root user, applications that wish to run helper
-programs with elevated capabilities should consider using ambient capabilities,
-described below.
+programs with elevated capabilities should consider using
+ambient capabilities, described below.
.TP
.IR Effective :
This is the set of capabilities used by the kernel to
perform permission checks for the thread.
.TP
.IR Ambient " (since Linux 4.3):"
+.\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08
This is a set of capabilities that are preserved across an
.BR execve (2)
-of a program that does not have file capabilities. The ambient capability
-set obeys the invariant that no capability can ever be ambient if it is
-not both permitted and inheritable. Ambient capabilities are
-preserved in the permitted set and added to the effective
-set when
+of a program that does not have file capabilities.
+The ambient capability set obeys the invariant that no capability
+can ever be ambient if it is not both permitted and inheritable.
+Ambient capabilities are preserved in the permitted set and
+added to the effective set when
.BR execve (2)
-is called. The ambient capability set is modified using
+is called.
+The ambient capability set is modified using
.BR prctl (2).
Executing a program that changes uid or gid due to the setuid or setgid
bits or executing a program that has any file capabilities set will clear