Ibuki Omatsu details two capability-based security improvements to Redox OS funded by NLnet/NGI Zero Commons: moving namespace management from the kernel to a userspace daemon (nsmgr), and representing the current working directory (CWD) as a file descriptor rather than a string. The namespace is now a file descriptor passed via openat, so the kernel no longer needs to parse scheme names or manage namespace state. The CWD-as-capability change eliminates the need to reconstruct absolute paths from relative ones and enables straightforward O_RESOLVE_BENEATH sandboxing. Together these changes reduce kernel complexity, shrink the attack surface, and lay groundwork for richer sandboxing in Redox OS.
Table of contents
Introduction: The architecture of Redox OSFile Access in Redox OS Before CapabilitiesKey Concept: openat(dir_fd, path)Namespace Manager in UserspaceCWD as a CapabilityConclusionSort: