The grsecurity patch creates an option to disallow using most
of the capabilities. This is good to deny non-root users
to allow changing networking stuff (NET_ADMIN) and more.
However, we make a lot use of chroots, but to keep the chrooted
services able to their things, we need to give them the rights
to do so.
The change requires to change the grsecurity security level
option from HIGH to CUSTOM.