Portions of a file system are temporarily isolated for
the purpose of running a set of processes so as to attempt to limit access by
those processes to that subset of the file system. Examples include:
the Unix Chroot environment,
mandatory access controls in POset configurations, and
VM's virtual disks.
Complexity: Implementing this functionality is not very
difficult, but implementing it so that it cannot be bypassed under any
conditions has proven unsuccessful. There appears to be no fundamental
reason that this cannot be done, but in practice, interaction with other
portions of the system is almost always required - for example - in order to
perform input and output, to afford interprocess communication, and to use
commonly available system libraries.
fc@red.a.net