Reword file Effective capability to clarify that it is not a capability set, but a single bit. Signed-off-by: Samuel Karp <skarp@xxxxxxxxxx> --- man7/capabilities.7 | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/man7/capabilities.7 b/man7/capabilities.7 index 2776b1f8b..4a719130d 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -48,6 +48,7 @@ .\" Clarify wording for Inheritable thread capability sets. .\" Reorganize thread capability sets to group total bounds and inheritance .\" together. +.\" File Effective capability is a bit, not a set. .\" .TH CAPABILITIES 7 2019-03-06 "Linux" "Linux Programmer's Manual" .SH NAME @@ -925,7 +926,7 @@ in conjunction with the capability sets of the thread, determine the capabilities of a thread after an .BR execve (2). .PP -The three file capability sets are: +The two file capability sets are: .TP .IR Permitted " (formerly known as " forced ): These capabilities are automatically permitted to the thread, @@ -936,9 +937,11 @@ This set is ANDed with the thread's inheritable set to determine which inheritable capabilities are enabled in the permitted set of the thread after the .BR execve (2). -.TP -.IR Effective : -This is not a set, but rather just a single bit. +.\" +.PP +Files may also have an +.BR Effective +capability bit set. If this bit is set, then during an .BR execve (2) all of the new permitted capabilities for the thread are @@ -946,7 +949,7 @@ also raised in the effective set. If this bit is not set, then after an .BR execve (2), none of the new permitted capabilities is in the new effective set. -.IP +.PP Enabling the file effective capability bit implies that any file permitted or inheritable capability that causes a thread to acquire the corresponding permitted capability during an -- 2.21.0
