CloudABI

One clarification -- turning off a collection of system calls is only one part of Capsicum (the part called 'capability mode', which happens on cap_enter()).

> If a process holds a file descriptor, then it is capable of doing various things to the file (or other object) attached.

The other major part of Capsicum is allowing fine-grained controls (called 'rights') for exactly what things can be done with an individual file descriptor -- and these rights are policed even before cap_enter(). This allows a capability file descriptor to be tightly restricted (e.g. to be made truly read-only), making it much safer to then pass that descriptor to another process.

The two parts work in combination because capability mode prevents an attacker minting new file descriptors to get around the rights restrictions applied to any existing capability file descriptors.

Thanks for the article!