Comment 8 for bug 95089

Either I missed some discussion or there is some misinformation here.

CAP_SETPCAP is dangerous when CONFIG_SECURITY_FILE_CAPABILITIES=n because then it allows a task to grant capabilities to other tasks. So when CONFIG_SECURITY_FILE_CAPABILITIES=n, then CAP_SETPCAP is taken away at boot. Note however that init can reinsert it into the bounding set using /proc/sys/kernel/cap-bound. Only init can do it.

CAP_SETPCAP is safe when CONFIG_SECURITY_FILE_CAPABILITIES=y, because all it then allows is adding capabilities to the inheritable set (if they are in the bounding set). From there, it (or a child) needs to execute a file with the same bits in the file inheritable set in order to be able to get them into the permitted set. In other words, it's a way for login to grant capabilities to login sessions.

I'd like to see CONFIG_SECURITY_FILE_CAPABILITIES enabled so I can start using them on my ubuntu laptop, like I used to on my old laptop.