> An empty process has nothing > Namespaces are the gateway to the world

Sounds like capability security to me. Although I wish they had said more about how these namespaces work. If they are inheritable and you can virtualize them for child processes (as you can in Plan 9/Inferno) then I'd say it qualifies.

When you create a child process, you can clone your namespace or you can construct a new one for the child.

(Disclosure: I wrote the doc linked above.)

Thanks. How about virtualization? Using an example from the doc, if your child process accesses "/dev/class/framebuffer", can you intercept its communications? Can a process create a custom sandbox and run, say, AppMgr with limited permission to limit the permissions of all apps it manages?

> Using an example from the doc, if your child process accesses "/dev/class/framebuffer", can you intercept its communications?

Yes. When creating the namespace for the child, the parent can map names to what whatever communication channels it chooses. If the parent wants to interpose on the child's access to "/dev/class/framebuffer", the parent could map that name to a channel that leads back to the parent.

> Can a process create a custom sandbox and run, say, AppMgr with limited permission to limit the permissions of all apps it manages?

Yes. That's useful for testing as well as for sandboxing.

Thank you for taking the time to reply, despite the sea of low quality comments on this HN thread.

Appreciate your your answers. This makes Fuchsia quite interesting to me.

Someone told me there were ex-devs of QNX microkernel doing Google's. Is that true?

Not sure about QNX, but the lead developers are ex Be, Danger, Palm and Apple.

Thanks for that clarification. That is an interesting mix.

As for QNX, one of its founders, Dan Dodge, is now at Apple.

In Unix, rights - even POSIX "cpabilities" - belong to the process. In Magenta, the rights are attached to the handle.