вообще писал про это
CAP_SETPCAP
If file capabilities are not supported: grant or remove any capability in the caller's
permitted capability set to or from any other process. (This property of CAP_SETPCAP is
not available when the kernel is configured to support file capabilities, since CAP_SET‐
PCAP has entirely different semantics for such kernels.) If file capabilities are supported: add any capability from the calling thread's bound‐
ing set to its inheritable set; drop capabilities from the bounding set (via prctl(2)
PR_CAPBSET_DROP); make changes to the securebits flags.
Возможно, не совсем реализована. И разница в том, что процесс может дать другому процессу cap_setuid. Только вряд ли сможет контроллировать, на какой UID тот сделает set.