diff --git a/zion/object/port.h b/zion/object/port.h
index 3b3ee80..47737af 100644
--- a/zion/object/port.h
+++ b/zion/object/port.h
@@ -22,7 +22,8 @@ class Port : public IpcObject {
  public:
   uint64_t TypeTag() override { return KernelObject::PORT; }
   static uint64_t DefaultPermissions() {
-    return kZionPerm_Write | kZionPerm_Read | kZionPerm_Duplicate;
+    return kZionPerm_Write | kZionPerm_Read | kZionPerm_Duplicate |
+           kZionPerm_Transmit;
   }
 
   Port() = default;
diff --git a/zion/syscall/memory_object.cpp b/zion/syscall/memory_object.cpp
index ac602cb..ae268c4 100644
--- a/zion/syscall/memory_object.cpp
+++ b/zion/syscall/memory_object.cpp
@@ -39,6 +39,7 @@ z_err_t MemoryObjectDuplicate(ZMemoryObjectDuplicateReq* req) {
   ASSIGN_OR_RETURN(
       glcr::RefPtr<MemoryObject> new_vmmo,
       vmmo_cap->obj<MemoryObject>()->Duplicate(req->base_offset, req->length));
-  *req->new_vmmo_cap = curr_proc.AddNewCapability(new_vmmo);
+  *req->new_vmmo_cap =
+      curr_proc.AddNewCapability(new_vmmo, vmmo_cap->permissions());
   return glcr::OK;
 }
diff --git a/zion/syscall/process.cpp b/zion/syscall/process.cpp
index 77c7b7f..22a3419 100644
--- a/zion/syscall/process.cpp
+++ b/zion/syscall/process.cpp
@@ -26,12 +26,15 @@ z_err_t ProcessSpawn(ZProcessSpawnReq* req) {
   *req->new_vmas_cap = curr_proc.AddNewCapability(proc->vmas());
 
   if (req->bootstrap_cap != 0) {
-    auto cap = curr_proc.ReleaseCapability(req->bootstrap_cap);
+    auto cap = curr_proc.GetCapability(req->bootstrap_cap);
     if (!cap) {
       return glcr::CAP_NOT_FOUND;
     }
-    // FIXME: Check permissions.
-    *req->new_bootstrap_cap = proc->AddExistingCapability(cap);
+    if (!(cap->HasPermissions(kZionPerm_Transmit))) {
+      return glcr::CAP_PERMISSION_DENIED;
+    }
+    *req->new_bootstrap_cap = proc->AddExistingCapability(
+        curr_proc.ReleaseCapability(req->bootstrap_cap));
   }
 
   return glcr::OK;