From dd63e15948a29c7a8aa083fd9b6e8b84459d9e85 Mon Sep 17 00:00:00 2001
From: Michael Kerrisk <mtk.manpages@gmail.com>
Date: Thu, 1 Nov 2018 14:32:55 +0100
Subject: [PATCH] capabilities.7: Correct the description of SECBIT_KEEP_CAPS

This just adds to the point made by Marcus Gelderie's patch.  Note
also that SECBIT_KEEP_CAPS provides the same functionality as the
prctl() PR_SET_KEEPCAPS flag, and the prctl(2) manual page has the
correct description of the semantics (i.e., that the flag affects
the treatment of onlt the permitted capability set).

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
---
 man7/capabilities.7 | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 508b1a725..ba90be15c 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -1442,11 +1442,10 @@ These flags are as follows:
 .TP
 .B SECBIT_KEEP_CAPS
 Setting this flag allows a thread that has one or more 0 UIDs to retain
-capabilities in its permitted and effective sets
+capabilities in its permitted set
 when it switches all of its UIDs to nonzero values.
 If this flag is not set,
-then such a UID switch causes the thread to lose all capabilities
-in those sets.
+then such a UID switch causes the thread to lose all permitted capabilities.
 This flag is always cleared on an
 .BR execve (2).
 .IP
-- 
2.11.4.GIT