Software isolation model

In this section, you will learn how the Zircon kernel objects enable Fuchsia to follow the principle of least privilege, isolating processes and granting them only the capabilities they require.


When a new process is created, it has no capabilities. The process relies entirely on its creator to provide capabilities through the set of handles passed to it. One might also say that an empty process has no ambient authority.

Because of this, processes are usually created with some initial resources and capabilities. The fuchsia.process.Launcher protocol provides the low-level interface to create new processes on the system from an executable and a set of kernel object handles. Most software uses the component framework, which simplifies the work of setting up a new process to execute some code with a standard set of initial capabilities. You will explore components in more detail later on.

Some initial handles given to a process are directories that the process mounts into its namespace.


The namespace of a process contains its private view of the world, and controls how much of the Fuchsia system the process can influence. This effectively defines the rules of the sandbox in which that process runs.

Namespaces are populated with various resource objects, including:

  • Files: Objects which contain binary data.
  • Directories: Objects which contain other objects.
  • Sockets: Objects which establish connections when opened, like named pipes.
  • Protocols and services: Objects which provide structured services when opened.
  • Devices: Objects which provide access to hardware resources.

The ​​creator of the process populates the contents of a namespace based on the set of required capabilities. A process cannot add objects to its own namespace, as this would essentially amount to that process self-granting the capabilities to access those objects.

Exercise: Namespaces

In this exercise, you'll explore the contents of a component's namespace in more detail using the shell.

Start the emulator

If you do not already have an instance running, start the emulator:

ffx emu start --headless

When startup is complete, the emulator prints the following message and returns:

Logging to "$HOME/.local/share/Fuchsia/ffx/emu/instances/fuchsia-emulator/emulator.log"
Waiting for Fuchsia to start (up to 60 seconds)........
Emulator is ready.

Find a component in the hub

Fuchsia provides the Hub as a diagnostic interface to obtain information about component instances running on the system. You can explore the components and their namespaces using the hub's directory structure.

Connect to a device shell prompt and enter the following ls command to list the components of the core realm under /hub-v2/children/core/children:

fx shell ls /hub-v2/children/core/children

This is a list of many of the core Fuchsia system components. To see more details about a specific component, list its directory contents.

Try this for the http-client component:

fx shell ls /hub-v2/children/core/children/network/children/http-client

Explore the namespace and outgoing directory

You'll find a running component's namespace under the exec/in path inside the hub.

fx shell ls /hub-v2/children/core/children/network/children/http-client/exec/in

Here are some quick highlights of each element:

  • config/: configuration data for the component
  • pkg/: the contents of the component's package
  • svc/: system services available to the component

List the contents of the incoming svc/ directory. This directory contains service nodes representing the system services provided to this component.

fx shell ls /hub-v2/children/core/children/network/children/http-client/exec/in/svc

Each of these services is accessible over a well-known protocol defined by a Fuchsia Interface Definition Language (FIDL) interface. Components provide system services through their outgoing directory, which is mapped to the exec/out path inside the hub.

List the contents of the outgoing svc/ directory to see the system services this component provides.

fx shell ls /hub-v2/children/core/children/network/children/http-client/exec/out/svc

We'll explore FIDL protocols and how to access various services in more detail later on.