Google is committed to advancing racial equity for Black communities. See how.

Software isolation model

In this section, you will learn how the Zircon kernel objects enable Fuchsia to follow the principle of least privilege, isolating processes and granting them only the capabilities they require.

Sandboxing

When a new process is created, it has no capabilities. The process relies entirely on its creator to provide capabilities through the set of handles passed to it. One might also say that an empty process has no ambient authority.

Because of this, processes are usually created with some initial resources and capabilities. The fuchsia.process.Launcher protocol provides the low-level interface to create new processes on the system from an executable and a set of kernel object handles. Most software uses the component framework, which simplifies the work of setting up a new process to execute some code with a standard set of initial capabilities. You will explore components in more detail later on.

Some initial handles given to a process are directories that the process mounts into its namespace.

Namespaces

The namespace of a process contains its private view of the world, and controls how much of the Fuchsia system the process can influence. This effectively defines the rules of the sandbox in which that process runs.

Namespaces are populated with various resource objects, including:

  • Files: Objects which contain binary data.
  • Directories: Objects which contain other objects.
  • Sockets: Objects which establish connections when opened, like named pipes.
  • Protocols and services: Objects which provide structured services when opened.
  • Devices: Objects which provide access to hardware resources.

The ​​creator of the process populates the contents of a namespace based on the set of required capabilities. A process cannot add objects to its own namespace, as this would essentially amount to that process self-granting the capabilities to access those objects.

Exercise: Namespaces

In this exercise, you'll explore the contents of a component's namespace in more detail using the shell.

Start the emulator

If you do not already have an instance running, start FEMU with networking support:

fx vdl start -N --start-package-server

When startup is complete, the emulator prints the following message and opens a shell prompt:

To support fx tools on emulator, please run "fx set-device fuchsia-5254-0063-5e7a"
$

Find a component in the hub

Fuchsia provides the Hub as a diagnostic interface to obtain information about component instances running on the system. You can explore the components and their namespaces using the hub's directory structure.

From the device shell prompt, enter the ls command to list the components of the core realm under /hub-v2/children/core/children:

ls /hub-v2/children/core/children
activity
appmgr
brightness_manager
bt-avrcp
build-info
...

This is a list of many of the core Fuchsia system components. To see more details about a specific component, list its directory contents.

Try this for the http-client component:

ls /hub-v2/children/core/children/http-client
children
component_type
debug
deleting
exec
id
resolved
url

Explore the namespace and outgoing directory

You'll find a running component's namespace under the exec/in path inside the hub.

ls /hub-v2/children/core/children/http-client/exec/in
config
pkg
svc

Here are some quick highlights of each element:

  • config/: configuration data for the component
  • pkg/: the contents of the component's package
  • svc/: system services available to the component

List the contents of the incoming svc/ directory. This directory contains service nodes representing the system services provided to this component.

ls /hub-v2/children/core/children/http-client/exec/in/svc
fuchsia.logger.LogSink
fuchsia.net.name.Lookup
fuchsia.posix.socket.Provider

Each of these services is accessible over a well-known protocol defined by a Fuchsia Interface Definition Language (FIDL) interface. Components provide system services through their outgoing directory, which is mapped to the exec/out path inside the hub.

List the contents of the outgoing svc/ directory to see the system services this component provides.

ls /hub-v2/children/core/children/http-client/exec/out/svc
fuchsia.net.http.Loader

We'll explore FIDL protocols and how to access various services in more detail later on.