In this section, you will learn how the Zircon kernel objects enable Fuchsia to follow the principle of least privilege, isolating processes and granting them only the capabilities they require.
When a new process is created, it has no capabilities. The process relies entirely on its creator to provide capabilities through the set of handles passed to it. One might also say that an empty process has no ambient authority.
Because of this, processes are usually created with some initial resources
and capabilities. The
fuchsia.process.Launcher protocol provides the
low-level interface to create new processes on the system from an executable
and a set of kernel object handles. Most software uses the component framework,
which simplifies the work of setting up a new process to execute some code with
a standard set of initial capabilities. You will explore components in more
detail later on.
Some initial handles given to a process are directories that the process mounts into its namespace.
The namespace of a process contains its private view of the world, and controls how much of the Fuchsia system the process can influence. This effectively defines the rules of the sandbox in which that process runs.
Namespaces are populated with various resource objects, including:
- Files: Objects which contain binary data.
- Directories: Objects which contain other objects.
- Sockets: Objects which establish connections when opened, like named pipes.
- Protocols and services: Objects which provide structured services when opened.
- Devices: Objects which provide access to hardware resources.
The creator of the process populates the contents of a namespace based on the set of required capabilities. A process cannot add objects to its own namespace, as this would essentially amount to that process self-granting the capabilities to access those objects.
In this exercise, you'll explore the contents of a component's namespace in more detail using the shell.
Start the emulator
If you do not already have an instance running, start FEMU with networking support:
fx vdl start -N --start-package-server
When startup is complete, the emulator prints the following message and opens a shell prompt:
To support fx tools on emulator, please run "fx set-device fuchsia-5254-0063-5e7a" $
Find a component in the hub
Fuchsia provides the Hub as a diagnostic interface to obtain information about component instances running on the system. You can explore the components and their namespaces using the hub's directory structure.
From the device shell prompt, enter the
ls command to list the components of
core realm under
activity appmgr brightness_manager bt-avrcp build-info ...
This is a list of many of the core Fuchsia system components. To see more details about a specific component, list its directory contents.
Try this for the
children component_type debug deleting exec id resolved url
Explore the namespace and outgoing directory
You'll find a running component's namespace under the
exec/in path inside
config pkg svc
Here are some quick highlights of each element:
config/: configuration data for the component
pkg/: the contents of the component's package
svc/: system services available to the component
List the contents of the incoming
svc/ directory. This
representing the system services provided to this component.
fuchsia.logger.LogSink fuchsia.net.name.Lookup fuchsia.posix.socket.Provider
Each of these services is accessible over a well-known protocol defined by a
Fuchsia Interface Definition Language (FIDL)
Components provide system services through their outgoing directory, which
is mapped to the
exec/out path inside the hub.
List the contents of the outgoing
svc/ directory to see the system services
this component provides.
We'll explore FIDL protocols and how to access various services in more detail later on.