Capability Bounding Set

All capabilities are available by default.

Capability bounding set status is a kernel variable
Available via /proc/sys/kernel/cap-bound

When a capability is removed from the system, it's gone for good.
(Unless you have CAP_SYS_MODULE available)

Can be modified easily using Lcap