The adopted approach is to implement in the kernel everything needed to find, given the program executed under a given uid, a set of capabilities, and, in the case of the access to a specified file, a set of permissions to this file.
Thus, we need an easy and efficient way to join each program with his privileges set. Each privileges set must enclose capabilities sets for each uid and permissions for access on each file, depending on the uid.
The problem now is how to generate and store all the information that represent an element of . A solution is to rely on the underlaying structure of : the filesystem hierarchy.