This sets the CAP_NET_RAWbit in both the "effective" (e) and "permitted" (p) capability sets. These two sets, along with the "inheritable" set, govern the capabilities that a process has or can set.

这将设置CAP_NET_RAW“有效”(e) 和“允许”(p) 能力集中的位。这两个集合与“可继承”集合一起管理流程具有或可以设置的功能。

See more here:

在此处查看更多信息：

capabilities - Linux man page

功能 - Linux 手册页

Capability Sets

Each thread has three capability sets containing zero or more of the above capabilities:

Effective- the capabilities used by the kernel to perform permission checks for the thread.

Permitted- the capabilities that the thread may assume (i.e., a limiting superset for the effective and inheritable sets). If a thread drops a capability from its permitted set, it can never re-acquire that capability (unless it exec()s a set-user-ID-root program).

inheritable- the capabilities preserved across an execve(2). A child created via fork(2) inherits copies of its parent's capability sets. See below for a discussion of the treatment of capabilities during exec(). Using capset(2), a thread may manipulate its own capability sets, or, if it has the CAP_SETPCAP capability, those of a thread in another process.

能力集

每个线程具有三个能力集，其中包含零个或多个上述能力：

Effective- 内核用于对线程执行权限检查的功能。

Permitted- 线程可能承担的能力（即，有效和可继承集的限制超集）。如果一个线程从其允许的集合中删除了一个能力，它永远不能重新获得那个能力（除非它 exec() 一个 set-user-ID-root 程序）。

inheritable- 跨 execve(2) 保留的功能。通过 fork(2) 创建的子级继承其父级能力集的副本。有关 exec() 期间功能处理的讨论，请参见下文。使用 capset(2)，一个线程可以操作它自己的能力集，或者，如果它有 CAP_SETPCAP 能力，那么另一个进程中的一个线程的能力集。