Ghosts of Unix past, part 3: Unfixable designs

The beautiful thing is that one doesn't have to do this expensive lookup if the main filesystem/kernel used such a scheme. It would work pretty much like the dentry-cache and one could probably even JIT the possible complex patterns or at least byte-code compile them in memory.
Apache doesn't do this for it is hard to get a good cross-platform file-change notification (which doesn't have possible side-effects).

It even has a good chance to be cheaper than the current unix model, since in a practical setup there would only be a few (compiled) rulesets in effect (still hundreds, but a lot less than actual dentries). One could possibly cache a pointer to the list of effective rules to a dentry/inode (depending on how the rules are to be applied, this is semantics, but I suspect you'd want them on the inode level).

But the decoupling of the details from every single inode can probably be done without any real performance impact (and possibly even performance gains). Whether you use hierarchical ACLs or matching rules shouldn't really make a difference and constant tree traversals shouldn't be necessary when done at the VFS level.