The principle of least privilege suggests that we can enhance the reliability and security of programs by dividing them into compartments that communicate via restricted interfaces. In an unsafe language such as C, this can also isolate the impact of memory errors by restricting memory accesses across compartment boundaries. We are developing designs for C compartmentalization policies that can be efficiently implemented using tag-based hardware reference monitors. Our policies support dif- ferent cross-compartment interfaces, ranging from a “share- nothing” model where compartments interact only by func- tion call and return passing scalars, to a “share-anything” model in which compartments can exchange capabilities to access individual memory objects. Between these, novel hy- brid models distinguish local and shareable objects. The tag policies vary in how much memory protection they provide, from compartment-based fault isolation to full spatial and temporal memory safety for each object, and each supports further restriction via mandatory access control.