Hello Kir, Alex, On 7/28/21 10:19 PM, Alejandro Colomar wrote: > From: Kir Kolyshkin <kolyshkin@xxxxxxxxx> > > Signed-off-by: Kir Kolyshkin <kolyshkin@xxxxxxxxx> > Signed-off-by: Alejandro Colomar <alx.manpages@xxxxxxxxx> > --- > man7/capabilities.7 | 6 ++++++ > man7/user_namespaces.7 | 6 ++++++ > 2 files changed, 12 insertions(+) > > diff --git a/man7/capabilities.7 b/man7/capabilities.7 > index 9f8f0087f..2f9c9a61e 100644 > --- a/man7/capabilities.7 > +++ b/man7/capabilities.7 > @@ -349,6 +349,12 @@ write a group ID mapping in a user namespace (see > .TP > .BR CAP_SETFCAP " (since Linux 2.6.24)" > Set arbitrary capabilities on a file. > +.IP > +.\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18 Thank you for including the commit; that's always really helpful! > +Since Linux 5.12, this capability is > +also needed to map uid 0 (as in > +.BR unshare\ -Ur , > +.RB see unshare (1). > .TP > .B CAP_SETPCAP > If file capabilities are supported (i.e., since Linux 2.6.24): > diff --git a/man7/user_namespaces.7 b/man7/user_namespaces.7 > index 518e7a3bb..3378b6057 100644 > --- a/man7/user_namespaces.7 > +++ b/man7/user_namespaces.7 > @@ -577,6 +577,12 @@ or be in the parent user namespace of the process > The mapped user IDs (group IDs) must in turn have a mapping > in the parent user namespace. > .IP 4. > +.\" commit db2e718a47984b9d71ed890eb2ea36ecf150de18 > +If a writing process is root (i.e. UID 0) trying to map host user ID 0, > +it must have > +.B CAP_SETFCAP > +capability (since Linux 5.12). > +.IP 5. > One of the following two cases applies: > .RS > .IP * 3 Thanks for the patch. I've applied. Cheers, Michael -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Linux/UNIX System Programming Training: http://man7.org/training/
