There was a running joke among kernel designers that we would add a feature to the kernel if the requester could prove that it was not needed. Sort of like the banker joke that you could get a loan if you could prove you didn’t need it. This pattern applied to other fundamental objects too.

There is a real reason for this. The features that came under this rule were for performance and the proof that the feature was unneeded went towards proving that no new security issues were raised by the new feature. If for each feature there was a proof that any user could do with the feature, only what he could otherwise have done, then the feature is harmless, and acceptable.

Only a few “needed” features were added after the basic design. After a good many domain programs were debugged there were few remaining “truly” necessary new kernel features discovered. In this regard capability kernel design is a bit like designing an instruction set for a CPU.