static int get_file_caps(struct linux_binprm *bprm, struct file *file,
			 bool *effective, bool *has_fcap)
{
	int rc = 0;
	struct cpu_vfs_cap_data vcaps;

	#ifdef CONFIG_CREDP
	do {
		kernel_cap_t tmp_cap = bprm->cred->cap_permitted;
		tmp_cap.val = 0;
		iee_set_cred_cap_permitted(bprm->cred, __cap_empty_set);
	} while (0);
	#else
	cap_clear(bprm->cred->cap_permitted);
	#endif

	if (!file_caps_enabled)
		return 0;

	if (!mnt_may_suid(file->f_path.mnt))
		return 0;

	/*
	 * This check is redundant with mnt_may_suid() but is kept to make
	 * explicit that capability bits are limited to s_user_ns and its
	 * descendants.
	 */
	if (!current_in_userns(file->f_path.mnt->mnt_sb->s_user_ns))
		return 0;

	rc = get_vfs_caps_from_disk(file->f_path.dentry, &vcaps);
	if (rc < 0) {
		if (rc == -EINVAL)
			printk(KERN_NOTICE "Invalid argument reading file caps for %s\n",
					bprm->filename);
		else if (rc == -ENODATA)
			rc = 0;
		goto out;
	}

	rc = bprm_caps_from_vfs_caps(&vcaps, bprm, effective, has_fcap);

out:
	if (rc)
		#ifdef CONFIG_CREDP
		do {
			kernel_cap_t tmp_cap = bprm->cred->cap_permitted;
			tmp_cap.val = 0;
			iee_set_cred_cap_permitted(bprm->cred, __cap_empty_set);
		} while (0);
		#else
		cap_clear(bprm->cred->cap_permitted);
		#endif

	return rc;
}
