Trust Boundaries
This page gives reviewers one place to find the hostile-input boundaries, trusted inputs, and current isolation assumptions that matter for capOS security review.
Current Boundaries
| Boundary | Trust rule | Current enforcement | Validation and review source |
|---|---|---|---|
| Ring 0 to Ring 3 | The kernel trusts no userspace register, pointer, SQE, CapSet, or result buffer field. | kernel/src/arch/x86_64/syscall.rs, kernel/src/mem/validate.rs, and kernel/src/cap/ring.rs validate syscall arguments, user buffers, opcodes, and capability table lookups before privileged use. | ../panic-surface-inventory.md, REVIEW.md |
| Capability table to kernel object | A process acts only through a live table-local CapId with matching generation and interface. | capos-lib/src/cap_table.rs owns generation-tagged slots; kernel capability dispatch goes through CapObject::call. | cargo test-lib, QEMU ring and IPC smokes recorded in REVIEW_FINDINGS.md |
| Capability ring shared memory | Userspace owns SQ writes, but the kernel owns validation, dispatch, completion, and failure semantics. | SQ/CQ headers and entries live in capos-config/src/ring.rs; kernel dispatch bounds indexes, buffer ranges, opcodes, transfer descriptors, and CQ posting. | cargo test-ring-loom, QEMU ring corruption, reserved opcode, fairness, IPC, and transfer smokes |
| Endpoint IPC and transfer | IPC cannot create or destroy authority except through explicit copy, move, release, or spawn transactions. | kernel/src/cap/endpoint.rs, kernel/src/cap/transfer.rs, and capos-lib/src/cap_table.rs implement queued calls, RECV/RETURN, copy/move transfer, badge propagation, and rollback. | ../authority-accounting-transfer-design.md, open transfer findings in REVIEW_FINDINGS.md |
| Manifest and boot package | Boot manifest bytes and embedded binaries are untrusted inputs until parsed and validated. Only holders of the read-only BootPackage cap can request chunked manifest bytes; ordinary services receive no default boot-package authority. | tools/mkmanifest, capos-config/src/manifest.rs, kernel/src/cap/boot_package.rs, ELF parsing in capos-lib/src/elf.rs, and kernel load paths validate graph references, paths, CapSet layout, interface IDs, manifest-read bounds, ELF bounds, and load ranges. | cargo test-config, cargo test-mkmanifest, cargo test-lib, manifest and ELF fuzz targets, make run-spawn |
| Process spawn inputs | Parent-supplied spawn params, ELF bytes, grants, badges, and result-cap insertion must fail closed. | ProcessSpawner currently validates ELF load, grants, explicit badge attenuation, frame exhaustion, and parent cap-slot exhaustion. Manifest schema-version guardrails reject unknown manifest vintages before graph validation. | Spawn QEMU smoke evidence and open findings in REVIEW_FINDINGS.md |
| Host tools and filesystem | Manifest/config input must not escape intended source directories or invoke unconstrained host commands. | tools/mkmanifest validates references and path containment, rejects unpinned CUE compilers, and Makefile targets route CUE and Cap’n Proto through pinned tool paths. | ../trusted-build-inputs.md, make generated-code-check, make dependency-policy-check |
| Generated code and schema | Schema, generated bindings, and no_std patches are trusted build inputs. | schema/capos.capnp, build scripts, tools/generated/capos_capnp.rs, and tools/check-generated-capnp.sh make generated-code drift review-visible. | ../trusted-build-inputs.md, make generated-code-check |
| Device DMA and MMIO | Current userspace receives no raw DMA buffer, device physical address, virtqueue pointer, or BAR mapping. | The QEMU virtio-net path is allowed only through kernel-owned bounce buffers until typed DMAPool, DeviceMmio, and Interrupt capabilities exist. | ../dma-isolation-design.md, make run-net |
| Panic and emergency paths | Hostile input should produce controlled errors, not panic, allocate unexpectedly, or expose stale state. | Ring dispatch is mostly controlled-error; remaining panic surfaces are classified by reachability and tracked as hardening work. | ../panic-surface-inventory.md, REVIEW.md |
Security Invariants
- All authority is represented by capability-table hold edges; no syscall or host tool path should bypass the capability graph.
- The interface is the permission: method authority is expressed by the typed Cap’n Proto interface or by a narrower wrapper capability, not by ambient process identity.
- Kernel operations at hostile boundaries validate structure, bounds, ownership, generation, interface ID, and resource availability before mutating privileged state.
- Failed transfer, spawn, manifest, and DMA setup paths must leave ledgers, cap tables, frame ownership, and in-flight call state unchanged or explicitly rolled back.
- Trusted build inputs must be pinned or drift-review-visible before their output becomes part of the boot image or generated source baseline.
Open Work
- Unify fragmented resource ledgers into the authority-accounting model so reviewers can audit quotas without following parallel counters.
- Harden open panic-surface entries that become more exposed as spawn, lifecycle, SMP, or userspace drivers expand hostile input reachability.
- Keep DMA in kernel-owned bounce-buffer mode until the
DMAPool,DeviceMmio, andInterrupttransition gates have code and QEMU proof.