capabilities.7: Rework bounding set as per-thread set in transformation rules

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
author: Michael Kerrisk <mtk.manpages@gmail.com> 2018-05-01 12:57:14 +0200
committer: Michael Kerrisk <mtk.manpages@gmail.com> 2018-05-01 13:55:37 +0200
commit: 2e87ced3b5679a4d0f1beed94d5a9973d9262aae (patch)
tree: 2c9048d0934225f42c6cbe0744d8464de3d064f9 /man7
parent: 36de80b984943653a475046028b888ae15e8d148 (diff)
download: man-pages-2e87ced3b5679a4d0f1beed94d5a9973d9262aae.tar.gz
1 files changed, 6 insertions, 6 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7
index a3d5849ecb..547dc226f9 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -1058,26 +1058,26 @@ the process using the following algorithm:
 P'(ambient)     = (file is privileged) ? 0 : P(ambient)
 
 P'(permitted)   = (P(inheritable) & F(inheritable)) |
-                  (F(permitted) & cap_bset) | P'(ambient)
+                  (F(permitted) & P(bounding)) | P'(ambient)
 
 P'(effective)   = F(effective) ? P'(permitted) : P'(ambient)
 
 P'(inheritable) = P(inheritable)    [i.e., unchanged]
+
+P'(bounding)    = P(bounding)       [i.e., unchanged]
 .EE
 .in
 .PP
 where:
 .RS 4
-.IP P 10
+.IP P() 6
 denotes the value of a thread capability set before the
 .BR execve (2)
-.IP P'
+.IP P'()
 denotes the value of a thread capability set after the
 .BR execve (2)
-.IP F
+.IP F()
 denotes a file capability set
-.IP cap_bset
-is the value of the capability bounding set (described below).
 .RE
 .PP
 A privileged file is one that has capabilities or
author	Michael Kerrisk <mtk.manpages@gmail.com>	2018-05-01 12:57:14 +0200
committer	Michael Kerrisk <mtk.manpages@gmail.com>	2018-05-01 13:55:37 +0200
commit	2e87ced3b5679a4d0f1beed94d5a9973d9262aae (patch)
tree	2c9048d0934225f42c6cbe0744d8464de3d064f9 /man7
parent	36de80b984943653a475046028b888ae15e8d148 (diff)
download	man-pages-2e87ced3b5679a4d0f1beed94d5a9973d9262aae.tar.gz