In this section, you will learn how the Zircon kernel objects enable Fuchsia to follow the principle of least privilege, isolating processes and granting them only the capabilities they require.
When a new process is created, it has no capabilities. The process relies entirely on its creator to provide capabilities through the set of handles passed to it. One might also say that an empty process has no ambient authority.
Because of this, processes are usually created with some initial resources
and capabilities. The
fuchsia.process.Launcher protocol provides the
low-level interface to create new processes on the system from an executable
and a set of kernel object handles. Most software uses the component framework,
which simplifies the work of setting up a new process to execute some code with
a standard set of initial capabilities. You will explore components in more
detail later on.
Some initial handles given to a process are directories that the process mounts into its namespace.
The namespace of a process contains its private view of the world, and controls how much of the Fuchsia system the process can influence. This effectively defines the rules of the sandbox in which that process runs.
Namespaces are populated with various resource objects, including:
- Files: Objects which contain binary data.
- Directories: Objects which contain other objects.
- Sockets: Objects which establish connections when opened, like named pipes.
- Protocols and services: Objects which provide structured services when opened.
- Devices: Objects which provide access to hardware resources.
The creator of the process populates the contents of a namespace based on the set of required capabilities. A process cannot add objects to its own namespace, as this would essentially amount to that process self-granting the capabilities to access those objects.
In this exercise, you'll explore the contents of a component's namespace in more detail using the shell.
Start the emulator
If you do not already have an instance running, start the emulator:
ffx emu start --headless
When startup is complete, the emulator prints the following message and returns:
Logging to "$HOME/.local/share/Fuchsia/ffx/emu/instances/fuchsia-emulator/emulator.log" Waiting for Fuchsia to start (up to 60 seconds)........ Emulator is ready.
Find a component in the hub
Fuchsia provides the Hub as a diagnostic interface to obtain information about component instances running on the system. You can explore the components and their namespaces using the hub's directory structure.
Connect to a device shell prompt and enter the following
ls command to list
the components of the
core realm under
fx shell ls /hub-v2/children/core/children
activity appmgr brightness_manager bt-avrcp build-info ...
This is a list of many of the core Fuchsia system components. To see more details about a specific component, list its directory contents.
Try this for the
fx shell ls /hub-v2/children/core/children/network/children/http-client
children component_type debug deleting exec id resolved url
Explore the namespace and outgoing directory
You'll find a running component's namespace under the
exec/in path inside
fx shell ls /hub-v2/children/core/children/network/children/http-client/exec/in
config pkg svc
Here are some quick highlights of each element:
config/: configuration data for the component
pkg/: the contents of the component's package
svc/: system services available to the component
List the contents of the incoming
svc/ directory. This
representing the system services provided to this component.
fx shell ls /hub-v2/children/core/children/network/children/http-client/exec/in/svc
fuchsia.logger.LogSink fuchsia.net.name.Lookup fuchsia.posix.socket.Provider
Each of these services is accessible over a well-known protocol defined by a
Fuchsia Interface Definition Language (FIDL)
Components provide system services through their outgoing directory, which
is mapped to the
exec/out path inside the hub.
List the contents of the outgoing
svc/ directory to see the system services
this component provides.
fx shell ls /hub-v2/children/core/children/network/children/http-client/exec/out/svc
We'll explore FIDL protocols and how to access various services in more detail later on.