seccomp.2: CAP_SYS_ADMIN is required only in caller's user namespace

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Michael Kerrisk <mtk.manpages@gmail.com> 2016-06-29 17:44:55 +0200
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2016-09-12 16:54:28 +0100
commit: be8f12726e545c74cdcfa5e362d5afcd55baafcd (patch)
tree: fe9ec74224495df76045e09580d7f4fca6b4685e
parent: 32dbbd64167f908392c1ce51fef5310c36d882e0 (diff)
download: man-pages-be8f12726e545c74cdcfa5e362d5afcd55baafcd.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/man2/seccomp.2 b/man2/seccomp.2
index dcb09c3aab..3642e5b9a3 100644
--- a/man2/seccomp.2
+++ b/man2/seccomp.2
@@ -138,7 +138,7 @@ In order to use the
 .BR SECCOMP_SET_MODE_FILTER
 operation, either the caller must have the
 .BR CAP_SYS_ADMIN
-capability, or the thread must already have the
+capability in its user namespace, or the thread must already have the
 .I no_new_privs
 bit set.
 If that bit was not already set by an ancestor of this thread,
@@ -489,7 +489,7 @@ can fail for the following reasons:
 .BR EACCESS
 The caller did not have the
 .BR CAP_SYS_ADMIN
-capability, or had not set
+capability in its user namespace, or had not set
 .IR no_new_privs
 before using
 .BR SECCOMP_SET_MODE_FILTER .
author	Michael Kerrisk <mtk.manpages@gmail.com>	2016-06-29 17:44:55 +0200
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2016-09-12 16:54:28 +0100
commit	be8f12726e545c74cdcfa5e362d5afcd55baafcd (patch)
tree	fe9ec74224495df76045e09580d7f4fca6b4685e
parent	32dbbd64167f908392c1ce51fef5310c36d882e0 (diff)
download	man-pages-be8f12726e545c74cdcfa5e362d5afcd55baafcd.tar.gz