diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..faeb151 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,42 @@ +# Security + +Part of the design philosophy that drives my inspiration for Gila is the idea of creating a new, fast, and safe kernel with security as a central focus. Kernels such as Linux, Mach, and NT have been around for too long to work perfectly with today's system security model. Gila is brand-new, and built almost exclusively in Rust for the utmost memory safety. + +## Goals + +- Distrustful by default +- Small, simple, and transparent +- Performant +- Capability based +- Highly isolated + +## Gila's security model + +### Microkernel architecture + +Gila is a microkernel. Only the most important functionality runs at Ring 0 (Protected Mode) to reduce attack surface. This functionality includes: + +- Modifying and reading kernel configurations +- Process creation and destruction +- Scheduling +- Memory allocation and management +- Inter-process communication +- Hardware communication interfaces + +User processes perform complex functionality by interacting with server processes. Servers perform many different things: + +- PCI(e) +- USB +- Security policy +- Filesystems +- Logins + +A user process can be registered as a server by any process with the `ServerRegister` capability. The kernel takes the process's ID and a functionality type as arguments to the registration function. Registering is important, because it allows processes to discover the PIDs of server processes for IPC. + +### Capabilities + +Every process in Gila has a set of capabilities. These capabilities define the ways it may interact with the kernel's limited functions, and do not govern what it can do with any other userspace process. + +### Access control + +Access control will be accomplished by means of a "policy server" process, which is registered as a system server by the init process, and is given the authority (by means of its registration with the kernel being readable) to allow or deny specific resource accesses. The relevant server will submit the PID of the requesting process & the resource it desires to the security server, which will check the request against the process's rights, and return a verdict to the issuing server. diff --git a/src/kernel/arch/aarch64/asm.rs b/src/kernel/arch/aarch64/asm.rs index 9336dd4..d763d5a 100644 --- a/src/kernel/arch/aarch64/asm.rs +++ b/src/kernel/arch/aarch64/asm.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + use core::arch::asm; #[allow(clippy::missing_safety_doc)] diff --git a/src/kernel/arch/aarch64/display.rs b/src/kernel/arch/aarch64/display.rs index 8b13789..b3313e9 100644 --- a/src/kernel/arch/aarch64/display.rs +++ b/src/kernel/arch/aarch64/display.rs @@ -1 +1,2 @@ - +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later diff --git a/src/kernel/arch/aarch64/mod.rs b/src/kernel/arch/aarch64/mod.rs index 0bc4595..3a68cc2 100644 --- a/src/kernel/arch/aarch64/mod.rs +++ b/src/kernel/arch/aarch64/mod.rs @@ -1,2 +1,5 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + pub mod asm; pub mod display; diff --git a/src/kernel/arch/loongarch64/asm.rs b/src/kernel/arch/loongarch64/asm.rs index 697d651..eab1ce9 100644 --- a/src/kernel/arch/loongarch64/asm.rs +++ b/src/kernel/arch/loongarch64/asm.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + use core::arch::asm; #[allow(clippy::missing_safety_doc)] diff --git a/src/kernel/arch/loongarch64/display.rs b/src/kernel/arch/loongarch64/display.rs index 8b13789..b3313e9 100644 --- a/src/kernel/arch/loongarch64/display.rs +++ b/src/kernel/arch/loongarch64/display.rs @@ -1 +1,2 @@ - +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later diff --git a/src/kernel/arch/loongarch64/mod.rs b/src/kernel/arch/loongarch64/mod.rs index 0bc4595..3a68cc2 100644 --- a/src/kernel/arch/loongarch64/mod.rs +++ b/src/kernel/arch/loongarch64/mod.rs @@ -1,2 +1,5 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + pub mod asm; pub mod display; diff --git a/src/kernel/arch/mod.rs b/src/kernel/arch/mod.rs index a92bb82..4973b91 100644 --- a/src/kernel/arch/mod.rs +++ b/src/kernel/arch/mod.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #[cfg(target_arch = "x86_64")] pub mod x86_64; #[cfg(target_arch = "x86_64")] diff --git a/src/kernel/arch/riscv64/asm.rs b/src/kernel/arch/riscv64/asm.rs index 9336dd4..d763d5a 100644 --- a/src/kernel/arch/riscv64/asm.rs +++ b/src/kernel/arch/riscv64/asm.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + use core::arch::asm; #[allow(clippy::missing_safety_doc)] diff --git a/src/kernel/arch/riscv64/display.rs b/src/kernel/arch/riscv64/display.rs index 8b13789..b3313e9 100644 --- a/src/kernel/arch/riscv64/display.rs +++ b/src/kernel/arch/riscv64/display.rs @@ -1 +1,2 @@ - +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later diff --git a/src/kernel/arch/riscv64/mod.rs b/src/kernel/arch/riscv64/mod.rs index 0bc4595..3a68cc2 100644 --- a/src/kernel/arch/riscv64/mod.rs +++ b/src/kernel/arch/riscv64/mod.rs @@ -1,2 +1,5 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + pub mod asm; pub mod display; diff --git a/src/kernel/arch/x86_64/acpi.rs b/src/kernel/arch/x86_64/acpi.rs index 89000b7..f12f131 100644 --- a/src/kernel/arch/x86_64/acpi.rs +++ b/src/kernel/arch/x86_64/acpi.rs @@ -1 +1,4 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + // TODO: Implement per-arch memory handlers for ACPI memory map regions diff --git a/src/kernel/arch/x86_64/asm.rs b/src/kernel/arch/x86_64/asm.rs index 8203b08..2bb0d91 100644 --- a/src/kernel/arch/x86_64/asm.rs +++ b/src/kernel/arch/x86_64/asm.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #![allow(clippy::missing_safety_doc)] use core::arch::asm; diff --git a/src/kernel/arch/x86_64/display.rs b/src/kernel/arch/x86_64/display.rs index bd3d3ea..b621099 100644 --- a/src/kernel/arch/x86_64/display.rs +++ b/src/kernel/arch/x86_64/display.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #![allow(dead_code)] #![allow(unused_variables)] diff --git a/src/kernel/arch/x86_64/mod.rs b/src/kernel/arch/x86_64/mod.rs index 5103e0f..89e89ba 100644 --- a/src/kernel/arch/x86_64/mod.rs +++ b/src/kernel/arch/x86_64/mod.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + pub mod acpi; pub mod asm; pub mod display; diff --git a/src/kernel/boot.rs b/src/kernel/boot.rs index d8233eb..f40e6e3 100644 --- a/src/kernel/boot.rs +++ b/src/kernel/boot.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + use limine::{BaseRevision, request::*}; #[used] diff --git a/src/kernel/log.rs b/src/kernel/log.rs index 25a807d..91556b9 100644 --- a/src/kernel/log.rs +++ b/src/kernel/log.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + use core::fmt::Write; use crate::memory::alloc; diff --git a/src/kernel/main.rs b/src/kernel/main.rs index ef5d0ab..310345b 100644 --- a/src/kernel/main.rs +++ b/src/kernel/main.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #![no_std] #![no_main] #![feature(allocator_api)] diff --git a/src/kernel/memory.rs b/src/kernel/memory.rs index deeeb53..8d98d81 100644 --- a/src/kernel/memory.rs +++ b/src/kernel/memory.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #![allow(unused_imports)] use enumflags2::*; diff --git a/src/kernel/panic.rs b/src/kernel/panic.rs index ecbf975..3869a71 100644 --- a/src/kernel/panic.rs +++ b/src/kernel/panic.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + use core::panic::*; #[panic_handler] diff --git a/src/kernel/params.rs b/src/kernel/params.rs index a92c276..3a31435 100644 --- a/src/kernel/params.rs +++ b/src/kernel/params.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + use crate::memory::alloc; use alloc::string::String; use alloc::vec::Vec; diff --git a/src/kernel/process.rs b/src/kernel/process.rs index f8c59aa..66fd750 100644 --- a/src/kernel/process.rs +++ b/src/kernel/process.rs @@ -67,18 +67,23 @@ pub enum ProcessCapabilities { ProcessKill, // Kill any process ProcessSpawn, // Create a new process ProcessExec, // Replace self with new process image - ProcessSession, // Create and accept Session requests. - // File system capabilities - FileEnum, // Enumerate directories and files - FileRead, // Read files - FileWrite, // Write to files - FilePermission, // Modify file permissions - FileCreate, // Create files - FileDelete, // Delete files - FileSystem, // Mount, unmount, and modify filesystems + ProcessSession, // Create and accept IPC requests. + // Capability meta + CapabilityRead, // Inspect a process's capabilities + CapabilityAdd, // Add a capability to a process + // Hardware access capabilities + HardwareWrite, // Write to memory-mapped IO + HardwareRead, // Read from memory-mapped IO + HardwareLock, // Obtain exclusive access to a device + HardwareQuery, // Check on the lock status of a device // Kernel config capabilities KernelCfgRead, // Read kernel configurations KernelCfgWrite, // Modify kernel configurations + KernelProtCall, // Call protected kernel functions + // Server resolution capabilities + ServerEnum, // Enumerate server processes + ServerGet, // Get the PID of a specific server for IPC. + ServerRegister, // Register a process as a server. } // Interprocess communication system: diff --git a/src/kernel/resources.rs b/src/kernel/resources.rs index 8b13789..4a3efb2 100644 --- a/src/kernel/resources.rs +++ b/src/kernel/resources.rs @@ -1 +1,2 @@ - +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later \ No newline at end of file diff --git a/src/kernel/syscall_runner.rs b/src/kernel/syscall_runner.rs index 49cfffc..5ea6d54 100644 --- a/src/kernel/syscall_runner.rs +++ b/src/kernel/syscall_runner.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #![allow(dead_code)] use crate::process::Process; diff --git a/src/lib/arch/aarch64/mod.rs b/src/lib/arch/aarch64/mod.rs index 8b13789..b3313e9 100644 --- a/src/lib/arch/aarch64/mod.rs +++ b/src/lib/arch/aarch64/mod.rs @@ -1 +1,2 @@ - +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later diff --git a/src/lib/arch/loongarch64/mod.rs b/src/lib/arch/loongarch64/mod.rs index 8b13789..b3313e9 100644 --- a/src/lib/arch/loongarch64/mod.rs +++ b/src/lib/arch/loongarch64/mod.rs @@ -1 +1,2 @@ - +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later diff --git a/src/lib/arch/mod.rs b/src/lib/arch/mod.rs index a92bb82..4973b91 100644 --- a/src/lib/arch/mod.rs +++ b/src/lib/arch/mod.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #[cfg(target_arch = "x86_64")] pub mod x86_64; #[cfg(target_arch = "x86_64")] diff --git a/src/lib/arch/riscv64/mod.rs b/src/lib/arch/riscv64/mod.rs index 8b13789..b3313e9 100644 --- a/src/lib/arch/riscv64/mod.rs +++ b/src/lib/arch/riscv64/mod.rs @@ -1 +1,2 @@ - +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later diff --git a/src/lib/arch/x86_64/mod.rs b/src/lib/arch/x86_64/mod.rs index 4992603..676936f 100644 --- a/src/lib/arch/x86_64/mod.rs +++ b/src/lib/arch/x86_64/mod.rs @@ -1,2 +1,5 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + mod registers_impl; mod syscall_impl; diff --git a/src/lib/arch/x86_64/registers_impl.rs b/src/lib/arch/x86_64/registers_impl.rs index 7dea5d4..bc31ab2 100644 --- a/src/lib/arch/x86_64/registers_impl.rs +++ b/src/lib/arch/x86_64/registers_impl.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #[allow(dead_code)] pub struct Registers { // Private fields diff --git a/src/lib/arch/x86_64/syscall_impl.rs b/src/lib/arch/x86_64/syscall_impl.rs index 6bf6b88..32a1701 100644 --- a/src/lib/arch/x86_64/syscall_impl.rs +++ b/src/lib/arch/x86_64/syscall_impl.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #![allow(dead_code, unused_variables)] // The system call API for x86_64. diff --git a/src/lib/lib.rs b/src/lib/lib.rs index dcbb018..b554558 100644 --- a/src/lib/lib.rs +++ b/src/lib/lib.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #![no_std] #![allow(unused_imports)] mod arch; diff --git a/src/lib/registers.rs b/src/lib/registers.rs index d43634f..8cc8433 100644 --- a/src/lib/registers.rs +++ b/src/lib/registers.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + // Every architecture MUST implement this as part of the ABI. // Additional registers can be implemented with architecture-specific traits. pub unsafe trait RegStoreLoad diff --git a/src/lib/syscall.rs b/src/lib/syscall.rs index b900d6a..4941c71 100644 --- a/src/lib/syscall.rs +++ b/src/lib/syscall.rs @@ -1,3 +1,6 @@ +// Copyright (c) 2025 shibedrill +// SPDX-License-Identifier: GPL-3.0-or-later + #![allow(dead_code)] // TODO: Implement a nice API for system calls. @@ -19,7 +22,6 @@ pub enum SyscallError { Ok, // No error. Unspecified, // Unspecified error occurred. SyscallNotExist, // System call does not exist. - FileNotExist, // The file mentioned does not exist. ProcessNotExist, // The process mentioned does not exist. PermissionDenied, // The process lacks capabilities. Aborted, // The kernel gave up on a blocking request.