new_s_context (int ctx)
This system call sets a new security context for the
current process. It will be inherited by all child
processes. The security context is just an id, but
the system call makes sure a new unused one is allocated.
A process can only see other processes sharing the
same security context. When the system boot, the
original security context is 0. But this one is not
privileged in anyway. Processes member of the security
context 0 can only interact (and see) processes
member of context 0.
This system call isolates the processes space.
set_ipv4root(unsigned long ip)
This system call locks the process (and children)
into using a single IP when they communicate and when
they installs a service. This system call is a one
shot. Once a process have set its IPV4 (Internet Protocol
Version 4) address to something different from 0.0.0.0,
it can't change it anymore. Children can't change it either.
If a process tries to bind a specific IP number, it will
succeed only if this corresponds to the ipv4root (if
different from 0.0.0.0). If the process bind to any
address, it will get the ipv4root.
Basically, once a process is locked to a given ipv4root
it is forced to use this IP address to establish a service
and communicate. The restriction on services is handy:
Most service (Web servers, SQL servers) are binding to
address 0.0.0.0. With the ipv4root sets to a given IP
you can have two virtual servers using the exact same
general/vanilla configuration for a given services
and running without any conflict.
This system calls isolate the IP network space.