Redox OS Implements Capability-Based Security Using Namespaces and Working Directory as Capabilities

Redox OS Advances Capability-Based Security Model

Redox OS, the Rust-written Unix-like operating system, has implemented a new capability-based security model that treats filesystem namespaces and the current working directory (CWD) as security capabilities, funded by NGI Zero through the NLnet foundation.

The Concept

In traditional Unix systems, access control relies on user IDs, file permissions, and discretionary access control lists. Redox OS takes a fundamentally different approach inspired by object capability security:

• Namespace as capability: Access to a filesystem namespace is itself a capability — if you don't have the namespace reference, you cannot access any files within it
• CWD as capability: The current working directory acts as a capability token; processes can only traverse paths within their granted directory scope
• No root user: The traditional Unix root/superuser concept is eliminated entirely

Why Capability-Based Security Matters

Capability security provides two fundamental guarantees:

1. No ambient authority: A process cannot access resources unless it was explicitly granted a reference to them
2. Confused deputy prevention: A process cannot trick a privileged helper into performing unauthorized operations on its behalf

Implementation in Redox

Redox leverages Rust's ownership and borrowing system to enforce capability discipline at the language level. The kernel tracks capability references through resource schemes, preventing processes from forging or duplicating capabilities without explicit kernel cooperation.

Impact on Linux and Mainstream OS

While Redox remains a research OS, its capability-based approach influences broader discussions about OS security:

• Linux namespaces (containers) provide partial capability isolation
• Plan 9's per-process namespace approach shares similar philosophy
• Web browsers use origin-based capability models for web security

The Redox implementation demonstrates that a complete, general-purpose OS can be built with capability security from the ground up, rather than bolting it onto existing permission systems.