There's not much here yet. In the meantime, look at capfs (name subject to change), which is a neat little thing that lets you do stuff like:

        /* Get raw_socket capability. */
        cap_fd = open("/cap/self/permitted/raw_socket", 0);
        if (cap_fd == -1)
            err(EXIT_FAILURE, "unable to get raw_socket capability");
		  
        /* Open raw socket. */
        sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP);
  
        /* Drop the raw_socket capability. */
        close(cap_fd);
		

in your language of choice, since it uses the file-system namespace. You could also do this:

        # for pid in `ls -1 /cap/[0-9]*/effective/change_time | cut -d/ -f3`
        > do ps -up $pid | sed -e '1d'
        > done
        elad 10758  0.0  0.6 10016 3300 ?   I     5:24PM 0:02.26 sshd: elad@pts/1 (sshd)
        elad 13594  0.0  0.3 3428 1508 ttyp1 I+    4:23AM 0:00.05 lua
        root 13695  0.0  0.2 2968 1200 ttyp3 S    12:11PM 0:00.49 ksh
        elad 15464  0.0  0.3 3176 1416 ttyp1 Is    5:24PM 0:00.14 -sh
        root 567  0.0  0.5 6948 2388 ?   Is   Fri02AM 1:47.41 /usr/libexec/postfix/master
        root 9441  0.0  0.3 3176 1424 ttyp3 I     4:40AM 0:00.46 sh
        #
		

Other things:

• Recent Security Enhancements in NetBSD