Let me work thru a typical capability transaction ...
Steps that we will suggest are seldom thought necessary in classic (Unix) systems, but perhaps this is largely due to their substantial cost there.
Component B invokes C which runs in another address space. Unix provides several ways of doing this: pipes, exec, and some Unixes have custom means: Solaris has its undocumented “doors” and Linux has “clone”.
B has created about a megabyte of data, X, that C must read to produce about a kilobyte of data to return to B. C will invoke other components unknown to B in this task. The convention between B and C is that B will dispose of the storage holding the response when it is done with it.
In either system we must decide what steps are necessary for B to have access to C. I shall assume in this case that the invocation of C is not to interact with others who invoke C; in effect C is free of side-effects.
It comes time to invoke C. B invokes the segment capability S to obtain a read-only capability, R, to the same segment. B “calls” a capability to C passing R. C installs the received capability in its own address space in order to read the data. C creates a segment for the response and installs that segment at another address. C finds from the data that yet another consultant is required for the job and passes R to that sub-sub contractor. The response in this case is an integer which is returned by value. C resumes its work and produces the data required by B. C returns to B passing the segment with the answer. B maps the segment with the response and uses the answer. B then invokes the returned segment to delete it. It may also invoke S to delete it if it is done with S too.
End of capability OS scenario.
I will assume that C is accessible to B in the form of an executable file for which B has execute and read permission. (I don’t know why B needs read permission. I should think that execute permission would suffice. The kernel needs to read the file but B doesn’t. Furthermore this fact seems not to be conveyed in the specs. Try ls -lt /usr/bin on just about any Unix system.)
Program C will now commence with (almost) all of C’s authority and some of its own if the directory entry via which B accessed C included the set-user-ID mode bit. B can arrange that an agreed upon file descriptor already accesses the file with the data that B prepared for C. This way there is no need to arrange for permissions or ACL mechanisms for C to access the data. mmap will work for C independently of whether B produced the file that way. The data that C needs to return to B is not as easily returned. The simplest way that I see of for B to create an additional file into which C can deposit the result. B can issue the wait system call until C has finished its work.
End of Unix Scenario.