Notice something, though: the hello_pause program above really has no idea that it actually has these capabilities; in other words, it programmatically has done nothing to query or set POSIX capabilities on itself. Yet, via the file capabilities model (and the setcap(8) utility) we have "injected" capabilities into it. This type of binary is therefore called a capability-dumb binary.
It's still vastly superior to doing a clumsy setuid-root security-wise, but it could get even "smarter" if the application itself—programmatically—used APIs to query and set capabilities upon itself at runtime. We can think of this kind of app as a capability-smart binary.
Often, when porting a legacy setuid-root (or worse, just a root ...