The changes introduced in Ironpenguin open a few questions for security restrictions in the kernel.

1. Since the chroot system call can no longer be used to break out of a previous chroot, does it still need to be restricted to processes with CAP_SYS_CHROOT?
2. Given the exploit explained in capability notes should the capceiling and jail calls require a capability for now? If so, should there be a sysctl to remove that restriction (or set it)?
3. What capability should be required to set an fscap? Arguably, SETPCAP is appropriate, but would call for modufying the kernel to allow it to exist. Perhaps a process should only be allowed to set caps it currently has? It stands to reason that a process capable of setting an fscap can easily gain that capability for itself anyway.