Comment 11 for bug 95089

Okay, I'm trying to summarize this:
 - _without_ the CONFIG_SECURITY_FILE_CAPABILITIES setting, CAP_SETPCAP allows crazy cap-setting silliness, and is disabled by init
 - with CONFIG_SECURITY_FILE_CAPABILITIES, CAP_SETPCAP behaves differently, so it is not disabled by init

What I'd like to understand this better is an example of a "vulnerable" and "safe" behavior. From there, I can build a kernel both ways, and verify that CONFIG_SECURITY_FILE_CAPABILITIES is still safe.

Can someone give me an example to use that demonstrates the dangerous behavior?