From patch at $URL
The kernel has no concept of capabilities with respect to inodes; inodes
exist independently of namespaces. For example,
inode_capable(inode, CAP_LINUX_IMMUTABLE) would be nonsense.
This patch changes inode_capable to check for uid and gid mappings and
renames it to capable_wrt_inode_uidgid, which should make it more
obvious what it does.
The capabilities implementation in the Linux kernel before 3.14.8 does not
properly consider that namespaces are inapplicable to inodes, which allows
local users to bypass intended chmod restrictions by first creating a user
namespace, as demonstrated by setting the setgid bit on a file with group
ownership of root.
Patch in mainline 3.16 onwards