Capability-Based Security for Redox: Namespace and CWD as Capabilities

Summary

By Ibuki Omatsu on Tuesday, March 17, 2026 Hello everyone! I’m Ibuki Omatsu. I’m currently working on the project “Capability-based security for Redox”, graciously funded by NGI Zero Commons and NLnet. In this post, I’ll explain “Namespace management in Userspace” and “CWD as a Capability”. We’ll explore how we reimplemented the namespace that previously was managed by the kernel, and the previously string-based CWD management, using capabilities. You might want to read about Capability-based security if you are unfamiliar with it. A simplified description is that an open file descriptor is a capability, because it identifies a resource and the application’s access rights for that resource. Capability-based security expects that all resources will be accessed starting from a capability. Introduction: The architecture of Redox OS In this section, I’ll explain two Redox specific concepts: resource provider “Schemes”, and our implementation of the C standard library, “relibc”. Scheme: Resource Provider Services As you know, Redox OS is a microkernel-based operating system. This means most system components and drivers, such as filesystems and process managers, run as separate programs in userspace. “Schemes” are the services that these programs provide. For example, RedoxFS (Redox OS’s Filesystem service) provides the file scheme, and the process manager provides the proc scheme. All resources are accesssed by a “Scheme-rooted Path” that takes following form: /scheme/{scheme-name}/{resource-name}. Example of Scheme-rooted Paths: file: /home/user/file.txt -> /scheme/file/home/user/file.txt tcp: 127.0.0.1:8080 -> /scheme/tcp/127.0.0.1/8080 In Redox, the “Namespace” controls the visibility of schemes. Schemes are registered to namespaces, and a process is only able to access the schemes registered to its own namespace. This is controlled using Scheme-rooted path. For example, In a namespace such as ["file", "uds"], a process can access files and Unix Domain Sockets, but i...