From: Serge E. Hallyn <serue@us.ibm.com>

The fE was previously a full capset which was masked with the calculated
new_permitted to get the process' new effective set.  It is now a single
bit in the xattr.  This patch changes bprm->cap_effective to a boolean. 
When that boolean is false, then P'e is the empty set.  When the boolean is
true, then P'e is set equal to P'p (new_permitted).  The rationale for this
is that either the application does not know about capabilities, and needs
to start with all permitted caps in its effective set, or it does know
about capabilities, and can start with an empty effective set and enable
the caps it wants when it wants.

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: Andrew Morgan <morgan@kernel.org>
Cc: Casey Schaufler <casey@schaufler-ca.com>
Cc: Chris Wright <chrisw@sous-sol.org>
Cc: James Morris <jmorris@namei.org>
Cc: KaiGai Kohei <kaigai@kaigai.gr.jp>
Cc: Serge E. Hallyn <serue@us.ibm.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
---

 include/linux/binfmts.h |    3 ++-
 security/commoncap.c    |   16 +++++++++-------
 2 files changed, 11 insertions(+), 8 deletions(-)

diff -puN include/linux/binfmts.h~file-capabilities-change-fe-to-a-bool include/linux/binfmts.h
--- a/include/linux/binfmts.h~file-capabilities-change-fe-to-a-bool
+++ a/include/linux/binfmts.h
@@ -37,7 +37,8 @@ struct linux_binprm{
 	int sh_bang;
 	struct file * file;
 	int e_uid, e_gid;
-	kernel_cap_t cap_inheritable, cap_permitted, cap_effective;
+	kernel_cap_t cap_inheritable, cap_permitted;
+	bool cap_effective;
 	void *security;
 	int argc, envc;
 	char * filename;	/* Name of binary as seen by procps */
diff -puN security/commoncap.c~file-capabilities-change-fe-to-a-bool security/commoncap.c
--- a/security/commoncap.c~file-capabilities-change-fe-to-a-bool
+++ a/security/commoncap.c
@@ -113,7 +113,7 @@ static inline void bprm_clear_caps(struc
 {
 	cap_clear(bprm->cap_inheritable);
 	cap_clear(bprm->cap_permitted);
-	cap_clear(bprm->cap_effective);
+	bprm->cap_effective = false;
 }
 
 #ifdef CONFIG_SECURITY_FILE_CAPABILITIES
@@ -130,8 +130,10 @@ static inline int cap_from_disk(__le32 *
 
 	switch ((magic_etc & VFS_CAP_REVISION_MASK)) {
 	case VFS_CAP_REVISION:
-		bprm->cap_effective = (magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
-					? CAP_FULL_SET : CAP_EMPTY_SET;
+		if (magic_etc & VFS_CAP_FLAGS_EFFECTIVE)
+			bprm->cap_effective = true;
+		else
+			bprm->cap_effective = false;
 		bprm->cap_permitted = to_cap_t( le32_to_cpu(caps[1]) );
 		bprm->cap_inheritable = to_cap_t( le32_to_cpu(caps[2]) );
 		return 0;
@@ -212,7 +214,7 @@ int cap_bprm_set_security (struct linux_
 			cap_set_full (bprm->cap_permitted);
 		}
 		if (bprm->e_uid == 0)
-			cap_set_full (bprm->cap_effective);
+			bprm->cap_effective = true;
 	}
 
 	return ret;
@@ -252,8 +254,8 @@ void cap_bprm_apply_creds (struct linux_
 	 * capability rules */
 	if (!is_init(current)) {
 		current->cap_permitted = new_permitted;
-		current->cap_effective =
-		    cap_intersect (new_permitted, bprm->cap_effective);
+		current->cap_effective = bprm->cap_effective ?
+				new_permitted : 0;
 	}
 
 	/* AUD: Audit candidate if current->cap_effective is set */
@@ -264,7 +266,7 @@ void cap_bprm_apply_creds (struct linux_
 int cap_bprm_secureexec (struct linux_binprm *bprm)
 {
 	if (current->uid != 0) {
-		if (!cap_isclear(bprm->cap_effective))
+		if (bprm->cap_effective)
 			return 1;
 		if (!cap_isclear(bprm->cap_permitted))
 			return 1;
_