Re: [PATCH 3/3] capabilities.7: File effective capability is a bit

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Samuel,

On 4/22/19 3:34 PM, Samuel Karp wrote:

Reword file Effective capability to clarify that it is not a capability
set, but a single bit.


I don't really see any point to this change. The page already clearly
explains that the "effective set" is really just a bit. And,
conventionally, the three sets are referred to as "sets" even though
one of them is just a bit.

Thanks,

Michael


Signed-off-by: Samuel Karp <skarp@xxxxxxxxxx>
---
  man7/capabilities.7 | 13 ++++++++-----
  1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 2776b1f8b..4a719130d 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -48,6 +48,7 @@
  .\"     Clarify wording for Inheritable thread capability sets.
  .\"     Reorganize thread capability sets to group total bounds and inheritance
  .\"     together.
+.\"     File Effective capability is a bit, not a set.
  .\"
  .TH CAPABILITIES 7 2019-03-06 "Linux" "Linux Programmer's Manual"
  .SH NAME
@@ -925,7 +926,7 @@ in conjunction with the capability sets of the thread,
  determine the capabilities of a thread after an
  .BR execve (2).
  .PP
-The three file capability sets are:
+The two file capability sets are:
  .TP
  .IR Permitted " (formerly known as " forced ):
  These capabilities are automatically permitted to the thread,
@@ -936,9 +937,11 @@ This set is ANDed with the thread's inheritable set to determine which
  inheritable capabilities are enabled in the permitted set of
  the thread after the
  .BR execve (2).
-.TP
-.IR Effective :
-This is not a set, but rather just a single bit.
+.\"
+.PP
+Files may also have an
+.BR Effective
+capability bit set.
  If this bit is set, then during an
  .BR execve (2)
  all of the new permitted capabilities for the thread are
@@ -946,7 +949,7 @@ also raised in the effective set.
  If this bit is not set, then after an
  .BR execve (2),
  none of the new permitted capabilities is in the new effective set.
-.IP
+.PP
  Enabling the file effective capability bit implies
  that any file permitted or inheritable capability that causes a
  thread to acquire the corresponding permitted capability during an
[Index of Archives]     [Kernel Documentation]     [Netdev]     [Linux Ethernet Bridging]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]

  Powered by Linux