Big problem with current OSes: all processes see the same filesystem.
- It’s unintuitive (/usr)
- Handling multiple versions of libraries is problematic
- Malicious programs can steal credentials, or profile what you have installed
- fsck is there to avoid crashing your kernel
- It’s not feasible to manage a system without being root
- Opt-in security features are easily forgotten.
Virtualisation works around this, but it’s really a workaround.
Under Genode, filesystems are basically VFS libraries (that talk to a filesystem server). This makes it easy to have per-process filesystem views – each client specifies which file hierarchies it wants to see, and which of those are shared and private.
Nix offers strict build sandboxing: when building a package, the build process only sees the other packages that were declared as dependencies. This makes it fully deterministic.
The idea is to allow any user to write to the nix store, so that not everybody needs to be root. But of course you have to avoid faking credentials of other users. Therefore, the approach is a shim that is accessed by creating an illegal symlink; this causes the shim to hash the contents of the file/directory, which makes it content-addressable. This way, you can be sure that when you access the store, you see exactly what you expect.
[At this point it become too Genode/Nix-specific for me to follow it…]