Permitted and Effective capability sets describe bounds that the kernel enforces for the current thread. Bounding, Inheritable, and Ambient capability sets describe bounds that apply across the execve(2) boundary. Signed-off-by: Samuel Karp <skarp@xxxxxxxxxx> --- man7/capabilities.7 | 30 ++++++++++++++++-------------- 1 file changed, 16 insertions(+), 14 deletions(-) diff --git a/man7/capabilities.7 b/man7/capabilities.7 index 9f7ee670a..2776b1f8b 100644 --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -46,6 +46,8 @@ .\" 2011-09-07, mtk/Serge hallyn: Add CAP_SYSLOG .\" 2019-04-10, Samuel Karp <skarp@xxxxxxxxxx> .\" Clarify wording for Inheritable thread capability sets. +.\" Reorganize thread capability sets to group total bounds and inheritance +.\" together. .\" .TH CAPABILITIES 7 2019-03-06 "Linux" "Linux Programmer's Manual" .SH NAME @@ -831,20 +833,6 @@ it can never reacquire that capability (unless it either a set-user-ID-root program, or a program whose associated file capabilities grant that capability). .TP -.IR Inheritable -This is a set of capabilities preserved across an -.BR execve (2) -when running as a root user. -Inheritable capabilities remain inheritable when executing any program, -and inheritable capabilities are added to the permitted set when executing -a program that has the corresponding bits set in the file inheritable set. -.IP -Because inheritable capabilities are not generally preserved across -.BR execve (2) -when running as a non-root user, applications that wish to run helper -programs with elevated capabilities should consider using -ambient capabilities, described below. -.TP .IR Effective This is the set of capabilities used by the kernel to perform permission checks for the thread. @@ -861,6 +849,20 @@ shared by all threads on the system. .IP For more details on the capability bounding set, see below. .TP +.IR Inheritable +This is a set of capabilities preserved across an +.BR execve (2) +when running as a root user. +Inheritable capabilities remain inheritable when executing any program, +and inheritable capabilities are added to the permitted set when executing +a program that has the corresponding bits set in the file inheritable set. +.IP +Because inheritable capabilities are not generally preserved across +.BR execve (2) +when running as a non-root user, applications that wish to run helper +programs with elevated capabilities should consider using +ambient capabilities, described below. +.TP .IR Ambient " (since Linux 4.3)" .\" commit 58319057b7847667f0c9585b9de0e8932b0fdb08 This is a set of capabilities that are preserved across an -- 2.21.0
