Segmented VFS: Is this a good design?
Posted: Sat Mar 11, 2023 2:15 pm
Hello. As you all know, there is a notable difference between how Windows and Linux approach VFS. One uses drive letters, and the other puts everything under a single root directory. Lately, I've been thinking of a potential design for my OS that is a mixture of the two; and was partly inspired by x86 segmentation.
Here is what I am thinking. Firstly, there will be linear pathnames which work similarly to Linux. E.g. /Homes/User1/My File.txt
These will be used internally by the VFS; and won't be exposed directly to applications.
Then there are segmented pathnames, which are exposed to the applications. They look like Windows pathnames, but the drive letter is replaced by a segment name. E.g. User1:/My File.txt
A special segment can be used to allow applications to access linear pathnames; e.g. Linear:/Homes/User1/My File.txt
Upon receiving the segmented pathname, VFS will first start by searching for the segment among a list of segments. The segment will simply match with a directory in the linear pathname, and that will be concatenated with the rest of the pathname. Now that it has the linear pathname, it will search for the mount that contains the file, possibly via a list of mount points or a node tree. Finally, it will pass the request to the correct filesystem driver.
Here's what I intend to do with this system:
1) Have a simple permission system: In this system, User1 may only be allowed to access User1:/ segment, while User2 would only be allowed to access User2:/ segment. This is simple enough to implement. Obviously, ACLs are much better, but those sound a bit complicated at this stage (I need to use a filesystem that supports ACLs). Once my OS reaches maturity, I plan to add support for ACLs, then I have two permission systems
2) Have near pathnames: Consider the following pathname, /src/code.c, this could be a near pathname. Depending on the current working segment, it could be My Project:/src/code.c or Your Project:/src/code.c
I think these could be useful, maybe with stuff like symlinks, or some applications.
3) Make a user-friendly file explorer without sacrificing utility for advanced users: For example, one thing I want to do is; if the user loads their home directory, instead of showing all the stuff there as is (which could contain directories like Desktop, Documents, or Downloads), I could show a special stripped down interface that's more accessible. However, this may annoy advanced users who want to see their files directly. Here's how I could solve this problem with the above VFS: If a user explores their home segment (e.g. User1:/), show the simplified UI. If they explore the linear segment, or some other segment (e.g. Linear:/Homes/User1/); show the advanced UI.
EDIT: After thinking a bit more, choosing between simple and advanced views by segment might be a bad idea. What if User1 doesn't have permission to access Linear:/ segment?
There could also be a prompt for accessing certain segments, such as Linear:/ or System:/. Something like: You are trying to access a protected segment. Messing with such a segment could potentially damage your system. It is recommended to turn back. Continue anyway? (Yes/No) ...Ok, I should try to rephrase that later, I don't think it came out good
4) Possibly have process-local segments: A segment like AppData:/ could resolve to different linear pathnames depending on the process. For this to work, AppData:/ would have to be a process-local segment. I want to prevent untrusted applications from accessing anything but their own data without permissions. This can be done by restricting access to global segments, and instead having special local segments for the processes to use. For example; AppFiles:/ for accessing their own installed files, AppData:/ for accessing a special directory where the application can save stuff, and Temp:/ for accessing a directory that will be deleted when the process is shut down.
There will be some need for shared segments. For example, say I have the following 3 processes:
In this situation:
1) All of these processes should share AppData:/
2) MyGameMapEditor.exe (1) and MyGameMapEditor.exe (2) should share AppFiles:/
3) All three processes should have their own local Temp:/
Global segments could be implemented as local segments that are shared by every process upon startup. Haven't decided on that yet.
So yeah, that's my VFS design. I haven't committed to it yet though. I am looking for advice. Would you recommend me to continue with this system? Are there any potential traps I should watch out for? And what are the ways I can improve this?
Here is what I am thinking. Firstly, there will be linear pathnames which work similarly to Linux. E.g. /Homes/User1/My File.txt
These will be used internally by the VFS; and won't be exposed directly to applications.
Then there are segmented pathnames, which are exposed to the applications. They look like Windows pathnames, but the drive letter is replaced by a segment name. E.g. User1:/My File.txt
A special segment can be used to allow applications to access linear pathnames; e.g. Linear:/Homes/User1/My File.txt
Upon receiving the segmented pathname, VFS will first start by searching for the segment among a list of segments. The segment will simply match with a directory in the linear pathname, and that will be concatenated with the rest of the pathname. Now that it has the linear pathname, it will search for the mount that contains the file, possibly via a list of mount points or a node tree. Finally, it will pass the request to the correct filesystem driver.
Here's what I intend to do with this system:
1) Have a simple permission system: In this system, User1 may only be allowed to access User1:/ segment, while User2 would only be allowed to access User2:/ segment. This is simple enough to implement. Obviously, ACLs are much better, but those sound a bit complicated at this stage (I need to use a filesystem that supports ACLs). Once my OS reaches maturity, I plan to add support for ACLs, then I have two permission systems
2) Have near pathnames: Consider the following pathname, /src/code.c, this could be a near pathname. Depending on the current working segment, it could be My Project:/src/code.c or Your Project:/src/code.c
I think these could be useful, maybe with stuff like symlinks, or some applications.
3) Make a user-friendly file explorer without sacrificing utility for advanced users: For example, one thing I want to do is; if the user loads their home directory, instead of showing all the stuff there as is (which could contain directories like Desktop, Documents, or Downloads), I could show a special stripped down interface that's more accessible. However, this may annoy advanced users who want to see their files directly. Here's how I could solve this problem with the above VFS: If a user explores their home segment (e.g. User1:/), show the simplified UI. If they explore the linear segment, or some other segment (e.g. Linear:/Homes/User1/); show the advanced UI.
EDIT: After thinking a bit more, choosing between simple and advanced views by segment might be a bad idea. What if User1 doesn't have permission to access Linear:/ segment?
There could also be a prompt for accessing certain segments, such as Linear:/ or System:/. Something like: You are trying to access a protected segment. Messing with such a segment could potentially damage your system. It is recommended to turn back. Continue anyway? (Yes/No) ...Ok, I should try to rephrase that later, I don't think it came out good
4) Possibly have process-local segments: A segment like AppData:/ could resolve to different linear pathnames depending on the process. For this to work, AppData:/ would have to be a process-local segment. I want to prevent untrusted applications from accessing anything but their own data without permissions. This can be done by restricting access to global segments, and instead having special local segments for the processes to use. For example; AppFiles:/ for accessing their own installed files, AppData:/ for accessing a special directory where the application can save stuff, and Temp:/ for accessing a directory that will be deleted when the process is shut down.
There will be some need for shared segments. For example, say I have the following 3 processes:
- MyGame.exe
- MyGameMapEditor.exe (1)
- MyGameMapEditor.exe (2)
In this situation:
1) All of these processes should share AppData:/
2) MyGameMapEditor.exe (1) and MyGameMapEditor.exe (2) should share AppFiles:/
3) All three processes should have their own local Temp:/
Global segments could be implemented as local segments that are shared by every process upon startup. Haven't decided on that yet.
So yeah, that's my VFS design. I haven't committed to it yet though. I am looking for advice. Would you recommend me to continue with this system? Are there any potential traps I should watch out for? And what are the ways I can improve this?