Because of its ``per executable file'' nature, Socket Access Control (SAC) (Chapter 4, Subsection 4.2.12) information is stored in extended file system attributes of executable files. SAC is retrieved by linsec_read_file_sac function ( linsec_attr.c) when an binary is being read into memory for execution (do_execve, fs/exec.c). Once in memory, SAC information is stored in linsec_task associated with the process that executed the binary (Section 5.5).
Due to the difficulty of matching struct sock (net/sock.h) with struct task_struct of the process that created the socket, as explained in Subsection 5.8.7 and affecting access control algorithm (Subsection 5.10.2), LinSec implementation was forced to extend struct sock by another element. The new field represents capabilities required to communicate to a socket and is initialized when the socket is being bound (sys_bind function, net/socket.c) according to the info contained in linsec_task of the process creating the socket. If no SAC entry is defined for a socket being bound, the required capability set is initialized to be empty.