What would it look like to be able to compose capabilities (as in [1]) in the same manner?
For example, to build a capability that only allowed read-only access to files in /usr/foo/*, and run process bar with it
[edit] Would "gencap /usr/foo/* c| capreadonly c| crun bar" be reasonable?
Where c| was a capability pipe?
If capability based security is to ever take off, this will have to be one of the building blocks. I'm having trouble even imagining what kind of syntax or tooling would be required.
[1] - https://en.wikipedia.org/wiki/Capability-based_security
They never noticed a problem until WSL came along and some users were not happy with it because they did things (build the Linux kernel) that do an outrageous number of fs requests. Thus the beautiful WSL which shows off the brilliance of NT gets replaced by ugly WSL2 a virtualization layer which just adds (buggy!) tight couplings you could avoid just installing your favorite Linux in hyper-V!