|This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)|
Kernel capabilities are an implementation of POSIX capability-based security (see 1003.1e).
The intent is damming in the security and stability implications of both bugs and of ill intent.
Capabilities basically sort syscalls into a bunch of groups, and granting only those you know something needs.
Consider e.g. ping. Historically this was SUID root, which it needed to create a raw socket. Yes, it drops it as soon as it doesn't need it, and in many practical ways this is pretty safe, but there is a period where it is entirely privileged.
Capabilities allow you to give it CAP_NET_RAW (and maybe CAP_NET_ADMIN?), and none of the others.
Such capabilities can also be used in a SUID-like way, by using xattr to assign them.
Note that ping itself doesn't care how it gets these things. In fact it doesn't even know, beyond the relevant syscalls (not) failing.