Porting Nix to Genode – Emery Hemingway

Big problem with current OSes: all processes see the same filesystem.

  • It’s unintuitive (/usr)
  • Handling multiple versions of libraries is problematic
  • Malicious programs can steal credentials, or profile what you have installed
  • fsck is there to avoid crashing your kernel
  • It’s not feasible to manage a system without being root
  • Opt-in security features are easily forgotten.

Virtualisation works around this, but it’s really a workaround.

Under Genode, filesystems are basically VFS libraries (that talk to a filesystem server). This makes it easy to have per-process filesystem views – each client specifies which file hierarchies it wants to see, and which of those are shared and private.

Nix offers strict build sandboxing: when building a package, the build process only sees the other packages that were declared as dependencies. This makes it fully deterministic.

The idea is to allow any user to write to the nix store, so that not everybody needs to be root. But of course you have to avoid faking credentials of other users. Therefore, the approach is a shim that is accessed by creating an illegal symlink; this causes the shim to hash the contents of the file/directory, which makes it content-addressable. This way, you can be sure that when you access the store, you see exactly what you expect.

[At this point it become too Genode/Nix-specific for me to follow it…]

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s