capabilities.7: Under CAP_SYS_ADMIN, group "sub-capabilities" together

CAP_BPF, CAP_PERFMON, and CAP_CHECKPOINT_RESTORE have all been
added to split out the power of CAP_SYS_ADMIN into weaker pieces.
Group all of these capabilities together in the list under
CAP_SYS_ADMIN, to make it clear that there is a pattern to these
capabilities.

Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>

1 files changed, 10 insertions, 7 deletions

diff --git a/man7/capabilities.7 b/man7/capabilities.7
index 862f895465..6fecd5af84 100644
--- a/man7/capabilities.7
+++ b/man7/capabilities.7
@@ -415,6 +415,16 @@ access the same checkpoint/restore functionality that is governed by
 (but the latter, weaker capability is preferred for accessing
 that functionality).
 .IP *
+perform the same BPF operations as are governed by
+.BR CAP_BPF
+(but the latter, weaker capability is preferred for accessing
+that functionality).
+.IP *
+employ the same performance monitoring mechanisms as are governed by
+.BR CAP_PERFMON
+(but the latter, weaker capability is preferred for accessing
+that functionality).
+.IP *
 perform
 .B IPC_SET
 and
@@ -463,9 +473,6 @@ and
 (but, since Linux 3.8,
 creating user namespaces does not require any capability);
 .IP *
-employ various performance monitoring mechanisms (as for
-.BR CAP_PERFMON );
-.IP *
 access privileged
 .I perf
 event information;
@@ -481,10 +488,6 @@ namespace);
 call
 .BR fanotify_init (2);
 .IP *
-perform various BPF operations;
-see
-.BR CAP_BPF ;
-.IP *
 perform privileged
 .B KEYCTL_CHOWN
 and