System administrators who are serious about ensuring that the consequences of a process being compromised by an attack are minimized currently engage in a painfully labor intensive procedure of creating a tree with all of the files the process needs to run, and then chrooting the process to that tree. This procedure is so painful that most administrators don't do it. We will make it easy. We will make it easy by: * containing processes in filesystem views, which are a more powerful expression of chroot * making it trivial to automatically assemble a list of all accesses a monitored process makes (a "viewprint") * creating that list in the same format as the specification of a view that can access only those files * creating a mechanism for allowing administrators to optionally be prompted when a process tries to exceed its viewprint, so that they can amend the viewprint or be alerted to danger * creating a moderated website and mailing list for sharing view specifications * pushing view specifications to package maintainers and Linux distributors * encouraging distributors to make all processes they can, be isolated into views by default, by making it easy to do and an important sales bullet item
