Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.

https://www.linuxjournal.com/article/5737

https://stackoverflow.com/questions/6154427/fork-and-execve-to-inherit-unprivileged-parent-process-capabilities
https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work
https://blog.container-solutions.com/linux-capabilities-in-practice

https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/

https://linux.die.net/man/2/execve

https://blog.ploetzli.ch/2014/understanding-linux-capabilities/

https://www.schutzwerk.com/en/43/posts/linux_container_capabilities/

https://unix.stackexchange.com/questions/580434/capability-inheritable-for-system-call-in-c-c

http://www.cis.syr.edu/~wedu/seed/Labs/Capability_Exploration/Capability_Exploration.pdf

https://www.gnu.org/software/hurd/community/gsoc/project_ideas/libcap/details.html