The changes introduced in [[Ironpenguin:]] open a few questions for security restrictions in the kernel.

  -Since the chroot system call can no longer be used to break out of a previous chroot, does it still need to be restricted to processes with **CAP_SYS_CHROOT**?
  -Given the exploit explained in [[capability notes]] should the [[capceiling]] and [[jail]] calls require a capability for now? If so, should there be a sysctl to remove that restriction (or set it)?
  -What capability should be required to set an [[fscaps|fscap]]? Arguably, **SETPCAP** is appropriate, but would call for modufying the kernel to allow it to exist. Perhaps a process should only be allowed to set caps it currently has? It stands to reason that a process capable of setting an fscap can easily gain that capability for itself anyway.