--- old/security/Kconfig	2004-04-01 20:31:11.000000000 +0200
+++ new/security/Kconfig	2004-04-01 22:19:14.000000000 +0200
@@ -109,6 +109,19 @@ config SECURITY_CAPABILITY_SYSCTL
 	  It's probably best to firewall the living daylights out
 	  of anything using this also.
 
+	  Anyway, the values are:
+
+	  - 0 = checks enabled (the default)
+	  - 1 = checks disabled
+	  - 2 = root only
+	  - 3 = no one, even root has no access to capabilities
+
+	  All the sysctl entries are mutable until the "lockdown"
+	  entry is set to a non-zero value. All capabilities are
+	  enabled by default.
+
+	  Say N unless you know what you are doing.
+
 source security/selinux/Kconfig
 
 endmenu