There is a possibility that this bug is INVALID but I am not sure so submitting just in case. Looking over the capability listing, I noticed that CAP_FS_MASK was not listed. I believe that the original reason for this was that this document was originally in the Grsecurity 1.9.x document. Grsecurity does not use this capability so that would lead it to be not listed. Now that this has moved into its own neutral document I think that it might need to be added. Although it seems that with the 2.6.x kernel suser() and fsuser() are gone from the kernel I still believe that LSM and perhaps other projects make use of CAP_FS_MASK.
Created attachment 41686 [details, diff] capfsmask.patch This adds CAP_FS_MASK to the capabilities listing.
Created attachment 42113 [details] capabilities.xml This fixes the XML validation errors of the current document. The changes were fairly extensive so I have just attached the document itself as the patch would be huge. This also adds CAP_FS_MASK from the previous patch.
New version In CVS now
