Hi Alexander,
I want to integrate Genode + low level OS (e.g. nova or sel4) to be integrated with existing environments related to containers. Most of this things do assume some kind of per-user control.
may be I can ask my question in different format - what is the best way of such integration??
That is a question I don't have a satisfying answer for at the moment. What I understand from your explanations is that you want to have some sort of user authentication by which the docker engine decides what permissions the user gets for starting containers. In other words the user's permissions determine the view the user gets on a shared file system.
I believe I would approach it in a way that maps users to File_system sessions. This will not be a direct translation of file-based ACLs though but it will allow having multiple users sharing a certain directory. A container may also open multiple File_system sessions for different users by which you should be able to control access permissions on the file system. Yet, I have no particular idea at the moment on how a chmod/chown done by a container can be emulated with this approach since it would need to modify the session policies of the VFS server.
By the way, I recommend you have a look at Martin's article series about the VFS: http://genodians.org/m-stein/2021-06-21-vfs-1
Cheers Johannes