This example employs a secure development pattern that separates data streams related to file system use from data streams related to the use of a network stack.
The Client
process uses file systems and the network stack. The VfsFirst
process works with file systems, and the VfsSecond
process provides the capability to work with the network stack. The environment variables of programs that run in the contexts of the Client
, VfsFirst
and VfsSecond
processes are used to define the VFS backends that ensure the segregated use of file systems and the network stack. As a result, IPC requests of the Client
process that are related to the use of file systems are handled by the VfsFirst
process, and IPC requests of the Client
process that are related to network stack use are handled by the VfsSecond
process (see the figure below).
Process interaction scenario
Init description of the example:
init.yaml
entities:
- name: Client
connections:
- target: VfsFirst
id: VFS1
- target: VfsSecond
id: VFS2
env:
_VFS_FILESYSTEM_BACKEND: client:VFS1
_VFS_NETWORK_BACKEND: client:VFS2
- name: VfsFirst
env:
_VFS_FILESYSTEM_BACKEND: server:VFS1
- name: VfsSecond
env:
_VFS_NETWORK_BACKEND: server:VFS2
Page top