tags 626387 fixed-upstream thanks On Wed, May 11, 2011 at 3:47 PM, Marc Haber <mh+debian-b...@zugschlus.de> wrote: > Package: manpages > Version: 3.27-1 > Severity: normal > > Hi, > > capabilities(7) mentions that > Removing capabilities from the bounding set is only supported if file > capabilities are compiled into the kernel (CONFIG_SECURITY_FILE_CAPA‐ > BILITIES). > > In recent kernels, there is no CONFIG_SECURITY_FILE_CAPABILITIES > option any more, it is now on by default and cannot be turned off. > This de-sync of docs and software may lead to people searching for > that kernel option. > > The man page should explicitly mention that > CONFIG_SECURITY_FILE_CAPABILITIES is only needed for pre-squeeze > kernels.
Thanks for this report. In upstream man-pages-3.33, I have changed the page as below. Cheers, Michael --- a/man7/capabilities.7 +++ b/man7/capabilities.7 @@ -701,9 +701,14 @@ A thread can determine if a capability is in its bounding set using the operation. Removing capabilities from the bounding set is only supported if file -capabilities are compiled into the kernel -(CONFIG_SECURITY_FILE_CAPABILITIES). -In that case, the +capabilities are compiled into the kernel. +In kernels before Linux 2.6.33, +file capabilities were an optional feature configurable via the +CONFIG_SECURITY_FILE_CAPABILITIES +option. +Since Linux 2.6.33, the configuration option has been removed +and file capabilities are always part of the kernel. +When file capabilities are compiled into the kernel, the .B init process (the ancestor of all processes) begins with a full bounding set. If file capabilities are not compiled into the kernel, then -- Michael Kerrisk Linux man-pages maintainer; http://www.kernel.org/doc/man-pages/ Author of "The Linux Programming Interface"; http://man7.org/tlpi/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
