And looking into this, cap_user_header_t actually has a version field! So this problem may well be fixable without hacks or breakage, if the kernel developers start to consider that the semantic meaning of capabilities, as exposed to user-space, is versioned.