From: Andreas Gruenbacher <agruen@suse.de>
Subject: Disable file capabilities by default

Disable file capabilities by default: we are still lacking documentation
and file capability awareness in system management tools.

Signed-off-by: Andreas Gruenbacher <agruen@suse.de>

---
 Documentation/kernel-parameters.txt |    8 +++++++-
 kernel/capability.c                 |    9 ++++++++-
 2 files changed, 15 insertions(+), 2 deletions(-)

--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -1507,7 +1507,13 @@ and is between 256 and 4096 characters.
 
 	no_file_caps	Tells the kernel not to honor file capabilities.  The
 			only way then for a file to be executed with privilege
-			is to be setuid root or executed by root.
+			is to be setuid root or executed by root. They
+			default to disabled.
+
+	file_caps	Tells the kernel to honor file capabilities.  The
+			only way then for a file to be executed with privilege
+			is to be setuid root or executed by root. They default
+			to disabled.
 
 	nohalt		[IA-64] Tells the kernel not to use the power saving
 			function PAL_HALT_LIGHT when idle. This increases
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -30,7 +30,7 @@ EXPORT_SYMBOL(__cap_full_set);
 EXPORT_SYMBOL(__cap_init_eff_set);
 
 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
-int file_caps_enabled = 1;
+int file_caps_enabled;
 
 static int __init file_caps_disable(char *str)
 {
@@ -38,6 +38,13 @@ static int __init file_caps_disable(char
 	return 1;
 }
 __setup("no_file_caps", file_caps_disable);
+
+static int __init file_caps_enable(char *str)
+{
+	file_caps_enabled = 1;
+	return 1;
+}
+__setup("file_caps", file_caps_enable);
 #endif
 
 /*