CAP_PERFMON — and new capabilities in general

True. I think that splitting the root account's powers into umpteen different capability bits is conceptually pretty simple. Instead of checking uid==0 you check whether the relevant bit is set. There's not too much to go wrong in that, and it's certainly less code than SELinux or seccomp. The hard part seems to be finding space for the bitmask in relevant structures and perhaps in filesystems .