A sub-user id is associated with all incoming objects (so the
application must do this?). This id is saved in the inode
of the file holding the object.
Figure 4 shows such objects "logging in" to the system in a similar manner as users log in to a system.
Sub-user ids are assigned either by the application or by a proxy in front of the application.
SubOS does sandboxing in the kernel:
open()
modified to copy sub-user id from inode to process
structure
fork()
and exec()
modified to inherit
sub-id
creat()
modified to create new files with sub-id