Process silos

Process Silos are process-bound confinement combined with namespace isolation — the kernel primitive Peios uses to give a process group a unified identity, a declared capability set, and an isolated view of the system.

Namespaces are Peios kernel objects that isolate specific kinds of system view — process tree, network stack, filesystem mounts, and more. Each namespace is a first-class principal with its own SID, participates in AccessCheck, and forms the visibility substrate that Process Silos build on.

Inspecting silo membership, granting siloed processes access to resources, and diagnosing silo-related access denials.

How Process Silos and Namespaces appear to unmodified Linux applications — the legacy syscall surface, the inode-based namespace identity Linux apps see, and the rejection of Linux user namespaces.