At times, we require the ability to "embed" capabilities into a binary-executable file (the discussion regarding the reasons for this is covered in the following section). This will obviously require kernel filesystem support. In early Linux, this system was a kernel-configurable option; from Linux kernel 2.6.33, file capabilities are always compiled into the kernel, and are therefore always present.

File capsets are a powerful security feature—you could say they are the modern equivalent of the older set[u|g]id features. To use them in the first place, the OS must support them, and the process (or thread) requires the CAP_FSETCAP capability. Here is the key point: The (previous) thread capsets along with the (coming) file capsets ultimately determine thread capabilities following an exec operation.

Here are the Linux file capability sets:

• Permitted (Prm): auto-permitted capabilities
• Inheritable (Inh)
• Effective (Eff): This is a single bit: if set, the new Prm capset gets raised in the Eff set; otherwise, it does not.

Once again, understand the caveat under which the above information has been provided: it's not the complete details. To get them, please check out the man page on capabilities(7) here: https://linux.die.net/man/7/capabilities.

Here is a screenshot snippet from this man page, showing the algorithm used to determine capabilities during the exec operation: