Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled. Capabilities are a per-thread attribute.
https://www.linuxjournal.com/article/5737
https://stackoverflow.com/questions/6154427/fork-and-execve-to-inherit-unprivileged-parent-process-capabilities
https://blog.container-solutions.com/linux-capabilities-why-they-exist-and-how-they-work
https://blog.container-solutions.com/linux-capabilities-in-practice
https://raesene.github.io/blog/2019/06/01/docker-capabilities-and-no-new-privs/
https://linux.die.net/man/2/execve
https://blog.ploetzli.ch/2014/understanding-linux-capabilities/
https://www.schutzwerk.com/en/43/posts/linux_container_capabilities/
https://unix.stackexchange.com/questions/580434/capability-inheritable-for-system-call-in-c-c
http://www.cis.syr.edu/~wedu/seed/Labs/Capability_Exploration/Capability_Exploration.pdf
https://www.gnu.org/software/hurd/community/gsoc/project_ideas/libcap/details.html