When a process enters capsicum mode, it loses all permissions normally associated with its controlling user, except "capabilities" it already has in the form of file descriptors.
It keeps the overall capsicum permission model, but uses it to redesign a simplified environment for processes (system calls, C library, etc.)
to run on, so that programs become portable to any platform supporting the ABI on the same instruction set architecture.
The interface it offers is roughly POSIX minus parts that do not work with capability-based security.
[4][5] As of October 2020, CloudABI has been deprecated in favor of WebAssembly System Interface for lack of interest.