BSD RUMP kernels....
RUMP has the added advantage of allowing said services to actually be running on remote hardware....
http://rumpkernel.org/or just go for a channel based approach like google's fuscia/magenta OS
where all services communicate through "channels" (glorified ring buffers) to the kernel
https://en.wikipedia.org/wiki/Google_Fuchsiahttps://github.com/fuchsia-mirror/magentaoverboard examples with increased security include such things as L4 Microkernels and "Partitioned" OS's which define strict APIs between services
Also remember that on x86_64 at least, the TSS can specify an
arbitrary ring # - you don't have to stick to ring 0,1,2,3 ... you can have as many as you like as long as your security architecture tracks dependencies correctly.... With appropriate ring buffers and memory allocation (i.e. magenta) you can use the hardware to help enforce the API rules