[throwawaymaths]

In theory you could do even better than that -- you could make capabilities cryptographically signed tokens, so that you don't need to ask the kernel to verify the validity of your request every time. If your chipset supports crypto intrinsics this will almost certainly be better than an interrupted syscall.

[staticassertion]

Yeah, reminds me of biscuits[0] - because they're based on asymmetric cryptography they can be delegated, but also attenuated. If you just use a uuid that's not really going to work as well, unless you're willing to go back to some authority to forge a new, lesser capability.

[jnwatson]

Not even theoretical. An early capability based OS called KeyKOS worked that way.

[throwawaymaths]

Oh man KeyKOS, that brings back memories. I wonder if crypto intrinsics might breathe life back into something like KeyKOS. More contemporary, I think Sel4 does as well.

In my comment I meant "in theory fuscia could have been architected/could be rearchitected that way", sorry should have been more clear.