New approach: user processes get two cspaces, upper and lower, mapped such that upper capabilities are addressed 0xAA...... and lower caps are 0x00....BB. Services go in the upper cspace and file descriptors in the lower. User processes lose the ability to modify their own cspace, and all lower capabilities are managed by sysinit.

New filetab interface (implemented by proc) is used to manage the lower cspace, you pass it to a filesystem on open.