Mach ports are capabilities.
A Mach port is a kernel queue. Each port has associated with it a receive right and one or more send and send-once rights. A queue can hold a number of messages. Once the queue is full, the send blocks until their is space to enqueue the message (this is interruptible via a timeout mechanism).
A receive right designates a queue and authorizes the holder to dequeue messages from the queue, and to create send and send-once rights.
Send and send-once rights designate a queue and authorize the hold to enqueue messages (in the case of a send-once right, a single message). Enqueuing a message is equivalent to ?invoke a capability.
Send and receive rights are named using local names. Each task has associated with it a port ?address space. A ports are addressed via this table. Each task thus has its own private naming context for ports.
Ports can be ?delegated in an IPC message. When the receiver dequeues the message, the right is made available to it.
A ?thread can only block receiving on a single port. To work around this, the concept of a port set was introduced. A receive right can be added to (at most) one port set. When a thread receives from a port set, it dequeues from any of the ports that has a message available.