LinSec retains, from the Linux POSIX capability framework, the the notion of capabilities being solely unsigned integer values. Groups of capabilities can therefore be represented as bitmaps in which each bit represents a separate capability depending on its position within the bitmap. Manipulation of capability sets defined this way can be accomplished by simple arithmetic operations. The performance improvement over alternative solutions thus obtained is the primary reason for adoption of the simple representation.
All processes in Linux, except for the process 04.3, are running images of executable files and are owned by a user. Therefore, LinSec supports Executable File Capabilities (Subsection 4.2.4) and User Capabilities (Subsection 4.2.5) which are used together to compute (Subsection 4.2.9) Process Capabilities (Subsection 4.2.7) of a process created when the executable file is run by the user. Process Capabilities are used for access control checks.
LinSec also uses capabilities to implement system boot phase protection (Subsection 4.2.10), various types of process protection (Subsection 4.2.11) and INET socket protection (Subsection 4.2.12).
To accomplish all of the design aims, several new, LinSec specific, capabilities had to be introduced (Subsection 4.2.13) in addition to the existing ones.