Skip to content

v0.0.5

Choose a tag to compare

@lgutschow lgutschow released this 24 Jun 03:57

Release v0.0.5

Builds on v0.0.4. This release is a security-and-fidelity pass: it tightens
the kernel's most sensitive edges and fills in the system-call behaviors
real-world software relies on — far enough that a standard container runtime
now starts a container end to end and the kernel boots an unmodified
distribution to an interactive shell.

  • Hardened security-sensitive edges. Returning from a signal can no longer be
    used to hand a program elevated processor flags, and the two signals that
    must never be caught or ignored now always take effect. Memory-management
    arithmetic is bounds-checked and overflow-checked even in release builds, a
    reference-count lifetime hazard is closed, and a program's privileges are
    recomputed correctly when it replaces its own image. Socket address lengths
    are clamped to what the caller passed, a shared-memory attach race is closed,
    and the priority-inheritance and debugger paths now go through the engine's
    own entry points.

  • Real in-memory file sealing. A program can seal an anonymous in-memory file
    against growth, shrinking, or further writes, and those seals are enforced —
    including against a later attempt to regain write access through a mapping.

  • Faithful memory remapping. Remapping a mapped file or shared region now moves
    and resizes it correctly, including a fixed-address move and a partial
    sub-range of a shared segment.

  • Real mount semantics. Read-only, no-setuid, no-device, and no-exec are
    enforced per mount and can be changed by remounting; remounting a bind mount
    applies the new flags to the right mount; and the filesystem-statistics call
    reports a mount's flags, so software that checks whether it sits on a
    read-only mount reads the truth. Each mount namespace carries its own mount
    flags, so a change in one namespace cannot alter another's.

  • Correct rename and open semantics. Rename honors its no-replace, exchange,
    and directory-cycle rules; renaming across filesystems reports the right
    error; overwriting rename — on disk and across directories — is correct and
    atomic; opening a non-directory as a directory, or a directory for writing,
    fails the way callers expect; and truncate-on-open only truncates regular
    files, so redirecting output into a device works.

  • Faithful executable identity. A process's own executable stays openable
    through the process filesystem even after it re-executes itself from an
    open file descriptor with no backing path, while still reporting that path
    when asked — the startup pattern security-conscious runtimes use to protect
    themselves from tampering.

  • Runs real container workloads. With the above in place, a standard container
    runtime sets up and runs a container to completion, and the kernel boots an
    unmodified distribution through its init system to an interactive shell. The
    conformance suite — real applications booted under the kernel — passes in
    full.

See README.md for what runs today, and docs/ for the architecture, the
verification recipe, and the clean-room policy.