Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Process Model

The process model defines how capOS represents isolated user programs, how they receive authority, how they enter and leave the scheduler, and how a parent can observe a child.

Status: Partially implemented. Processes, isolated address spaces, ELF loading, fixed bootstrap ABI, exit cleanup, process handles, and init-driven child spawning are implemented. Restart policy, kill, generic post-spawn grants, and init-side manifest graph execution remain open.

Current Behavior

A Process owns a user address space, a per-process capability table, a ring scratch area, a kernel stack, a saved CPU context, a mapped capability ring, and an optional read-only CapSet page. Process IDs are assigned by an atomic counter.

ELF images are loaded into fresh user address spaces. PT_LOAD segments are mapped with page permissions derived from ELF flags, the user stack is fixed at 0x40_0000, and PT_TLS data is mapped into a per-process TLS area below the ring page. The process starts from a synthetic CpuContext that returns to Ring 3 with iretq.

ProcessSpawner lets a holder spawn packaged boot binaries, grant selected caps to the child, and receive a non-transferable ProcessHandle result cap. ProcessHandle.wait either completes immediately for an already-exited child or registers one waiter.

Design

Process construction separates image loading from capability-table assembly. The kernel first maps all boot-launched service images, then builds capability tables for all services so service-sourced caps can resolve against declared exports. Spawned children use the same image loading and Process creation helpers, but their grants are supplied by the calling process through ProcessSpawner.

Each process starts with three machine arguments:

  • RDI - fixed ring virtual address (RING_VADDR).
  • RSI - process ID.
  • RDX - fixed CapSet virtual address, or zero if no CapSet is mapped.

Exit releases authority before the Process storage is dropped. The scheduler switches to the kernel page table before address-space teardown, cancels endpoint state for the exiting pid, completes any pending process waiter, and defers the final process drop until execution is on another kernel stack.

Future process lifecycle work should keep authority transfer explicit: parents should not gain ambient access to child internals, and child grants should come from named caps plus interface checks.

Invariants

  • A process cannot access a resource unless its local CapTable holds a cap.
  • Bootstrap CapSet metadata is immutable from userspace.
  • A stale CapId generation must not name a reused cap-table slot.
  • ProcessSpawner raw grants require a copy-transferable cap or an endpoint owner cap; client-endpoint grants attenuate endpoint authority.
  • ProcessSpawner kernel-source grants are limited to fresh child-local address-space-bound caps; they cannot be badged or exported from init.
  • ProcessHandle caps are non-transferable.
  • At most one waiter may be registered on a ProcessHandle.
  • Process exit releases cap-table authority before the kernel stack frame is freed.

Code Map

  • kernel/src/process.rs - Process, bootstrap CPU context, ring/CapSet mapping, exit capability cleanup.
  • kernel/src/spawn.rs - ELF mapping, stack mapping, TLS mapping, process construction helpers.
  • kernel/src/sched.rs - process table, process handles, wait completion, exit path.
  • kernel/src/cap/process_spawner.rs - ProcessSpawnerCap, ProcessHandleCap, spawn grant validation, child-local kernel grants, child CapSet construction.
  • capos-lib/src/cap_table.rs - CapId generation and cap-table operations.
  • capos-config/src/capset.rs - fixed CapSet page ABI.
  • schema/capos.capnp - ProcessSpawner, ProcessHandle, and CapGrant.
  • init/src/main.rs - current init-side spawn smoke and hostile spawn checks.

Validation

  • make run validates kernel-launched service processes, CapSet bootstrap, exit cleanup, and clean halt.
  • make run-spawn validates ProcessSpawner, ProcessHandle.wait, child grants, init-spawned IPC demos, and hostile spawn failures.
  • cargo test-lib covers CapTable generation, stale-slot, and transfer primitives.
  • cargo test-config covers CapSet and manifest metadata used to build process grants.
  • cargo build --features qemu verifies the kernel and QEMU-only paths compile.

Open Work

  • Make default boot launch only init and execute the validated service graph through init.
  • Add lifecycle operations such as kill and post-spawn grants only after their authority semantics are explicit.
  • Implement restart policy outside the kernel-side static boot graph.