I was thinking about if we should start adding support for Linux capabilities  to core packages. We can use the fcaps.eclass from Gentoo which implements the "filecaps" USE flag and take the work done by upstream or avoid the fcaps.eclass at all and call "setcap" program directly (provided by sys-libs/libcap). Linux capabilities is not depending on hardened toolchain nor hardened-sources, but it's a great way to enhance both desktop and server security.
The main reason to use Linux capabailities is security enhanced deployments, reducing the setuid installed binaries taking a "least privilege" approach. Despite of its benefits, not all programs support capabilities so this only can be applied to those ebuilds. This also needs a filesystem with extended attributes support.
I ran a fast grep over /usr/portage and those packages seems to use "filecaps" USE flags for now:
Upstream has masked "filecaps" USE flags on other OS like BSD due they implement in a different way the capabilities feature and fcaps.eclass currently doesn't wrap around the running OS kernel.
This post is a request for comments about what people thinks about this and which approach they think is better (or leave things without capabilities support).
Víctor Román Archidona