RedBear-OS

vasilito/RedBear-OS

Fork 0

Commit Graph

Author	SHA1	Message	Date
vasilito	55d00c3a24	fix: credential robustness — NGROUPS_MAX, process-scope, cache readback Kernel hardening (proc.rs +23 lines): - NGROUPS_MAX=65536 enforcement in Groups write handler - Reject non-u32-aligned writes with EINVAL - Process-scope propagation: setgroups() now fans out to ALL threads sharing the same owner_proc_id Relibc robustness: - setrlimit: EINVAL for unknown resources (was silent Ok) - posix_getgroups: kernel readback when cache is empty, fixes exec() cache-staleness gap Oracle audit fixes: H (kernel cap), E (alignment reject), G (process-scope), C (cache readback), B (rlimit errors)	2026-04-30 10:17:25 +01:00
vasilito	24289bf93f	feat: supplementary groups + credential syscalls — setgroups/getgroups/RLIMIT Kernel (3 files, 32 lines): - Context.groups: Vec<u32> — supplementary group storage - CallerCtx.groups — exposed to schemes for access control - Proc scheme Groups handle — auth-{fd}-groups read/write path - Fork inheritance — new-context copies parent groups to child Relibc (4 files, 82 insertions, 84 deletions): - posix_setgroups()/posix_getgroups() in redox-rt sys.rs - DynamicProcInfo.groups cache in lib.rs - setgroups() real impl via thr_fd.dup(auth-{fd}-groups) - getgroups() kernel-only (no /etc/group fallback) - initgroups() functional via setgroups() - getrlimit/setrlimit userspace stubs with defaults Patches: - local/patches/kernel/P4-supplementary-groups.patch - local/patches/relibc/P4-setgroups-getgroups.patch Docs updated: - COMPREHENSIVE-OS-ASSESSMENT: credential blocker → RESOLVED - KERNEL-IPC-CREDENTIAL-PLAN: marked Phases K1-K2,K4 complete - local/AGENTS.md: credential gap section → RESOLVED Unblocks: polkit, dbus-daemon, logind, sudo/su, redbear-authd	2026-04-30 10:08:54 +01:00
vasilito	e01466a6a6	state: max KDE surface reached — 40 enabled, 41 pkgar Hard platform limit: kirigami requires QML JIT (QQuickWindow/QQmlEngine headers) which is disabled on Redox. kirigami blocks plasma-framework, plasma-workspace, plasma-desktop. Built this session: - Qt6::Sensors v6.11.0 (520KB pkgar, dummy backend) - libinput v1.30.2 + libevdev v1.13.2 (both pkgar in repo) - 9 previously-commented KDE packages now enabled + building - KWin: cmake build attempt with Sensors + libinput deps - 42 KDE source archives all versioned (zero vunknown) Remaining gated by QML JIT: kirigami, plasma-framework, plasma-workspace, plasma-desktop Remaining with source issues: breeze, kde-cli-tools, kf6-prison Remaining empty package: kf6-knewstuff	2026-04-30 09:35:59 +01:00

Author

SHA1

Message

Date

vasilito

55d00c3a24

fix: credential robustness — NGROUPS_MAX, process-scope, cache readback

Kernel hardening (proc.rs +23 lines):
- NGROUPS_MAX=65536 enforcement in Groups write handler
- Reject non-u32-aligned writes with EINVAL
- Process-scope propagation: setgroups() now fans out to
  ALL threads sharing the same owner_proc_id

Relibc robustness:
- setrlimit: EINVAL for unknown resources (was silent Ok)
- posix_getgroups: kernel readback when cache is empty,
  fixes exec() cache-staleness gap

Oracle audit fixes: H (kernel cap), E (alignment reject),
G (process-scope), C (cache readback), B (rlimit errors)

2026-04-30 10:17:25 +01:00

vasilito

24289bf93f

feat: supplementary groups + credential syscalls — setgroups/getgroups/RLIMIT

Kernel (3 files, 32 lines):
- Context.groups: Vec<u32> — supplementary group storage
- CallerCtx.groups — exposed to schemes for access control
- Proc scheme Groups handle — auth-{fd}-groups read/write path
- Fork inheritance — new-context copies parent groups to child

Relibc (4 files, 82 insertions, 84 deletions):
- posix_setgroups()/posix_getgroups() in redox-rt sys.rs
- DynamicProcInfo.groups cache in lib.rs
- setgroups() real impl via thr_fd.dup(auth-{fd}-groups)
- getgroups() kernel-only (no /etc/group fallback)
- initgroups() functional via setgroups()
- getrlimit/setrlimit userspace stubs with defaults

Patches:
- local/patches/kernel/P4-supplementary-groups.patch
- local/patches/relibc/P4-setgroups-getgroups.patch

Docs updated:
- COMPREHENSIVE-OS-ASSESSMENT: credential blocker → RESOLVED
- KERNEL-IPC-CREDENTIAL-PLAN: marked Phases K1-K2,K4 complete
- local/AGENTS.md: credential gap section → RESOLVED

Unblocks: polkit, dbus-daemon, logind, sudo/su, redbear-authd

2026-04-30 10:08:54 +01:00

vasilito

e01466a6a6

state: max KDE surface reached — 40 enabled, 41 pkgar

Hard platform limit: kirigami requires QML JIT (QQuickWindow/QQmlEngine
headers) which is disabled on Redox. kirigami blocks plasma-framework,
plasma-workspace, plasma-desktop.

Built this session:
- Qt6::Sensors v6.11.0 (520KB pkgar, dummy backend)
- libinput v1.30.2 + libevdev v1.13.2 (both pkgar in repo)
- 9 previously-commented KDE packages now enabled + building
- KWin: cmake build attempt with Sensors + libinput deps
- 42 KDE source archives all versioned (zero vunknown)

Remaining gated by QML JIT: kirigami, plasma-framework,
plasma-workspace, plasma-desktop
Remaining with source issues: breeze, kde-cli-tools, kf6-prison
Remaining empty package: kf6-knewstuff

2026-04-30 09:35:59 +01:00

3 Commits