Plash is a restricted execution environment for running Linux programs with minimum privileges necessary. It is similar to chroot jails, but more lightweight and flexible. Plash lets you grant a process read-only or read-write access to specific files and directories, which can be mapped at any point in the filesystem namespace.
Plash provides three interfaces:
pola-run, a command line tool for starting a program with a subset of the calling process's authority.
The Plash shell, which has a syntax similar to the Bourne shell or Bash. Unlike Bash, it distinguishes string arguments and file arguments, because it needs to know which files to grant to the program being invoked. By default, the shell grants only read-only access to files and directories. There is extra syntax for granting read-write-create access.
The Plash shell has a compact syntax and is intended for interactive use. In contrast, pola-run has a more verbose syntax which is intended to be used from Bash scripts and other programs.
run-emacs is a tool for running XEmacs and then dynamically granting it access to individual files and directories. In the future, this functionality will be generalised to be available for other GUI programs.
The Plash execution environment doesn't require a modified Linux kernel -- it uses chroot() and UIDs. It works with existing Linux executables, provided they are dynamically linked, because Plash uses a modified version of GNU libc.
Plash virtualizes the filesystem. A process can request to open a file by sending a request via a socket. The server can send a file descriptor across the socket in response. Usually performance is not affected, because the most frequently used system calls (such as read() and write()) work on kernel-level file descriptors as before.