1 files changed, 38 insertions, 0 deletions
diff --git a/man7/capabilities.7 b/man7/capabilities.7
index ce4bce6c46..3ceb5b51df 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -967,6 +967,44 @@ In addition, the root user ID of namespace is encoded in the
 extended attribute.
 (A namespace's root user ID is the value that user ID 0
 inside that namespace maps to in the initial user namespace.)
+.IP
+Starting with Linux 4.14, a
+.BR VFS_CAP_REVISION_3
+.I security.capability
+extended attribute is automatically created as (or converted to)
+a version 3 attribute if both of the following are true:
+.RS
+.IP (1) 4
+The thread writing the attribute resides in a noninitial namespace.
+(More precisely: the thread resides in a user namespace other
+than the one from which the underlying filesystem was mounted.)
+.IP (2)
+The thread has the
+.BR CAP_SETFCAP
+capability over the file inode,
+meaning that (a) the thread has the
+.B CAP_SETFCAP
+capability in its own user namespace;
+and (b) the UID and GID of the file inode have mappings in
+the writer's user namespace.
+.RE
+.IP
+When a
+.BR VFS_CAP_REVISION_3
+.I security.capability
+extended attribute is created, the root user ID of the creating thread's
+user namespace is saved in the extended attribute.
+.IP
+Creating a
+.I security.capability
+extended attribute from a privileged
+.RB ( CAP_SETFCAP )
+thread that resides in the
+namespace where the the underlying filesystem was mounted
+(this normally means the initial user namespace)
+automatically results in a version 2
+.RB ( VFS_CAP_REVISION_3 )
+attribute.
 .\"
 .SS Transformation of capabilities during execve()
 .PP