The classic unix model is insufficient for a fine-tuned access control. New models have appeared such as capabilities and ACL1.8. Other problems are caused by the existence of a superuser, that have all the rights, and whose account is not so hard to compromise.
The ACL approach is to control the access to files with the uid of the user. The difference with the classic unix model is that you can give a list of uids that can access to a precise file, without having to play with unix groups.
We choose to have an ACL-like approach. In addition to control the access to files with uid, we add a control on the program which want to access the file.
To control access to hardware and to some kernel data, we choose a sort of melt with existant capabilities support and the previously introduced ACL-like approach. That is to say we give a capabilities set to a program depending upon the program itself, upon the uid of the user and upon the inheritance of the parent process.