In order to properly manipulate all capabilities, all kernel object should hold a 'capa' field that store the object's corresponding capabiliti(es).
Any access requiring a capability should be checked by a simple mgr_security_capa_matches(task_capa, object_capa), making capability management easy and unified in the overall kernel.