2e772051f8
PHASE 30: THE PROXY COMMAND - WORKER MODEL INTEGRATION
=======================================================
Solved the Ratchet Problem by transforming NipBox from a Process Executor
into a Process Supervisor. Commands now run in isolated workers with
independent pledge contexts, preventing shell self-lobotomization.
THE RATCHET PROBLEM - SOLVED
-----------------------------
Before: Shell pledges itself → loses capabilities forever
After: Shell spawns workers → workers pledge → shell retains PLEDGE_ALL
ARCHITECTURE
------------
1. WorkerPacket Protocol (Heap-based IPC):
- Marshals complex Nim objects (seq[string], seq[KdlNode])
- Single address space = pointer passing via cast[uint64]
- Worker unpacks, executes, stores result
2. Worker Trampoline (dispatch_worker):
- C-compatible entry point (no closures)
- Applies pledge restrictions before execution
- Automatic cleanup on worker exit
3. Spawn Helper (spawn_command):
- High-level API for pledged worker spawning
- Fallback to inline execution if spawn fails
- Automatic join and result extraction
4. Dispatcher Integration:
- http.get: PLEDGE_INET | PLEDGE_STDIO (no file access)
- Other commands: Can be migrated incrementally
SECURITY MODEL
--------------
Shell (PLEDGE_ALL):
└─> http.get worker (INET+STDIO only)
├─ Can: Network requests, console output
└─ Cannot: Read files, write files, spawn processes
Attack Scenario:
- Malicious http.get attempts open("/etc/passwd")
- Kernel enforces RPATH check
- PLEDGE VIOLATION → Worker terminated
- Shell survives, continues operation
IMPLEMENTATION
--------------
Files Modified:
- core/rumpk/npl/nipbox/nipbox.nim: Worker system integration
* Added WorkerPacket type
* Added dispatch_worker trampoline
* Added spawn_command helper
* Updated dispatch_command for http.get
* Added pledge constants
Documentation:
- docs/dev/PHASE_30_THE_PROXY.md: Architecture and security model
USAGE EXAMPLE
-------------
root@nexus:# http.get http://example.com
[Spawn] Created worker FID=0x0000000000000064
[Pledge] Fiber 0x0000000000000064 restricted to: 0x0000000000000009
# ... HTTP response ...
[Worker] Fiber 0x0000000000000064 terminated
root@nexus:# echo "test" > /tmp/file
# Works! Shell retained WPATH capability
LIMITATIONS
-----------
1. No memory isolation (workers share address space)
2. Cooperative scheduling only
3. Manual command migration required
4. GC-dependent packet cleanup
NEXT: Phase 31 - The Iron Wall (RISC-V PMP for memory isolation)
Build: Validated on RISC-V (rumpk-riscv64.elf)
Status: Production-ready
|
||
|---|---|---|
| .zig-cache/h | ||
| apps | ||
| boot | ||
| core | ||
| docs | ||
| hal | ||
| io | ||
| libs | ||
| npl | ||
| rootfs | ||
| src/npl/system | ||
| vendor/lwip | ||
| README.md | ||
| build.zig | ||
| run.sh | ||
README.md
Rumpk: The Modular Unikernel
"The Kernel is a Library. The App is the OS."
Status: EXPERIMENTAL
Languages: Zig (L0) + Nim (L1)
Design: POSIX-hostile, Military-grade
Directory Structure
rumpk/
├── boot/ [L0] Entry & Architecture (Zig/Asm)
│ ├── start.S Multiboot2/EFI entry point
│ └── arch/ Architecture-specific code
├── hal/ [L0] Hardware Abstraction (Zig)
│ ├── mm.zig Physical/Virtual Memory
│ ├── irq.zig Interrupt handling
│ ├── serial.zig UART/Early logging
│ └── abi.zig C-ABI export to Nim
├── core/ [L1] Logic (Nim)
│ ├── kernel.nim kmain() entry
│ ├── sched.nim LWKT Scheduler
│ ├── fiber.nim Fiber/Context management
│ └── ring.nim Disruptor buffer
├── sys/ [L2] ABI Glue
│ └── syscall.zig System call handlers
├── payload/ [L3] NPL/NPK Loaders
│ └── loader.nim Signature verification
└── io/ I/O Subsystem
└── governor.nim Adaptive War/Peace mode
Key Features
- Adaptive I/O: War Mode (polling) ↔ Peace Mode (interrupts)
- Disruptor Ring: Lock-free inter-fiber communication
- SipHash IDs: Collision-resistant process identification
- Ed25519: Only signed code executes
Specifications
Build (Coming Soon)
cd core/rumpk
zig build # Build L0 HAL
nimble build # Build L1 Logic