Skip to content

Custom Kernel

The Syn_OS kernel is built from upstream Linux 7.0 (the launch base; a 7.2 bump is planned as the next upgrade) with the CONFIG_RUST=y toolchain enabled, hardened with KSPP defaults, and extended with a capability-gated, signed Rust kernel-module interface, loadable Rust kernel modules, an LSM attestation hook, and eBPF monitors. It is the prokaryotic-cell layer of the biological model — primitive, fast, always-on; the mitochondria for the whole organism.

SettingValue
Upstream versionLinux 7.0 (7.2 planned)
Build target7.0-synos-ai
ToolchainLLVM/Clang + Rust (no GCC)
CONFIG_RUSTy
CONFIG_MODVERSIONSn (disabled — Rust modules don’t use it)
HardeningKSPP defaults + Sanctum overlays
Custom config knobs12 — all under CONFIG_SYNOS_*
Module signingRequired — build stage hard-fails if the kernel signing key is absent; cosign-attested keys

The v111 kernel interface is a capability-gated, signed Rust kernel-module interface that exposes AI state and observability data to userspace. The old custom-syscall approach is retired — those syscall numbers now collide with upstream Linux 7.0 and the old stubs were empty shells with no real handlers.

Key design decisions:

  • Loadable, compiled Rust modules — built on Rust-for-Linux, using the misc device + ioctl pattern with memory-safe UserSlice I/O
  • Root-only — device nodes are 0600 via udev rules; every operation requires CAP_SYS_ADMIN
  • Signed — build stage 02b hard-fails if the kernel signing key is absent; modules are signed before packaging
  • QEMU-boot-validated — a reusable runtime test (synos-module-boot-test.sh) boots the ISO under QEMU and asserts the interface is reachable

The interface exposes: consciousness fusion state, AI stimulus and memory update paths, eBPF monitor tables, observability counters and perf ring buffers, namespace trust classification, per-PID audit, incident ring buffer, and CPU/kernel mitigation-posture query.

Syn_OS ships 33 signed Rust kernel modules — 28 of them real, loadable, and QEMU-boot-validated (65/65 PASS). All live in fruit/core/src/linux-kernel/rust-modules/, register a root-only (0600) /dev/synos_* device node with a CAP_SYS_ADMIN-gated ioctl ABI, and are signed at build stage 02b.

ModuleRole
synos_consciousness11 ioctls: decision LRU cache, stimulus ring, AI memory, eBPF monitor, quantum/recommend, ktime latency. Push-channel source — ALFRED reads synos_stimulus_record structs via blocking read() with no polling.
synos_ns_trustLive nsproxy/cred walk, namespace trust classification
synos_io_uring_auditPer-PID io_uring audit
synos_incident_sinkIncident ring buffer (report/drain)
synos_mitigation_stateCPU/kernel mitigation posture (is_module_sig_enforced + lockdown)
synos_securityCapability check + signed token control (LSM hook)
synos_schedulerRun-queue telemetry, predictive hints from cerebellum
synos_memoryAI memory-pool accounting, fragment-aware allocator hints
ModuleRole
synos_capabilitySipHash-2-4 keyed-MAC capability tokens (issue / verify / revoke; forged-tier → BAD_MAC)
synos_auditNIST 800-53 tamper-evident SipHash-chained control log
synos_policyvmSafe 16-reg bytecode VM + static verifier (max 1M steps, no kernel API surface)
synos_observabilityReal si_meminfo / ktime telemetry (Glasswalker)
synos_attestPer-PID measurement ledger + SipHash chain (Threadwalker)
synos_twinSnapshot lineage registry with generation/hash tracking (Storm Glass)
ModuleRole
synos_hardeningCR4 posture via inline asm (SMEP/SMAP/UMIP/lockdown/modsig readout)
synos_interruptsIRQ accounting, RPS/XPS adjustments
synos_powerThermal/cpufreq stats, Intel RAPL telemetry, CPU governor guard
synos_networkPer-ifindex rx/tx counters via RCU, eBPF network monitor
synos_procfs/proc/synos/info aggregator
synos_modloaderModule notifier event counts, signed-module load gate
synos_syscallABI-map device (legacy 469–491 range → consciousness ioctl ops)
ModuleRole
synos_forensicsVolatile memory snapshot
synos_detectKernel-integrity posture detection — tamper and hidden-object detection (blue-team)
synos_lsmCaller capability + lockdown posture
synos_audit_bridgeEmits real kernel audit records via audit_log_start/audit_log_end
synos_pcapNetfilter packet counter (NF_ACCEPT-only)
ModuleRole
synos_modverifykprobe on __x64_sys_finit_module + blocking notifier; monitor or enforce mode (NOTIFY_BADEPERM). PROVEN: 27/27 synos module loads counted; deny path returns EPERM.

Five eBPF programs are always-loaded under the kernel’s BPF infrastructure:

MonitorWatches
memoryAllocator hot-paths, page faults, OOM events
networkConnection-tracking, anomalous flows, DNS exfil patterns
processexec/clone/exit, command-line capture
securityPrivilege transitions, capability use, namespace ops
perfSoft-IRQ counts, scheduler latency, cache miss patterns

Each monitor contributes events to the Fragment Field IDS pipeline and exposes stats through the observability interface.

Syn_OS ships its own Linux Security Module hook that consults Curtain v4 capability tokens before allowing privileged operations. The integration lives in:

  • synos-security kernel module — the LSM hook itself
  • synos-curtain-tokens user-space crate — token issuance, ed25519 / ML-DSA signature
  • synos-attest — LSM attestation receipt chained into synos-attest-ledger

In-kernel safe-bytecode VM (Riftrunner, v52)

Section titled “In-kernel safe-bytecode VM (Riftrunner, v52)”

fruit/core/kernel/riftrunner/ ships an in-kernel 22-instruction eBPF subset with an in-kernel verifier and interpreter. Use cases:

  • ALFRED-driven detection rules that can be hot-loaded without a kernel rebuild
  • Lightweight policy bytecode for tenant isolation (synos-tenant)
  • Late-binding telemetry pipelines

The verifier rejects programs that attempt unbounded loops, unaligned memory access, or syscall invocation.

fruit/core/kernel/snapshot/ exposes a snapshot interface that powers the Twin Bevy plugin and the digital-twin substrate. The kernel emits snapshots of selected memory regions and observable state into the substrate, where ALFRED’s MPS cortex can play with them without affecting the live system.

Terminal window
/proc/synos/consciousness # current ConsciousnessState
/proc/synos/fragment-field # Fragment Field IDS energy state
/proc/synos/observability/* # registered counters
/proc/synos/attest/ledger # HMAC-SHA256 chained attestation log
dmesg | grep -i synos
synos-doctor --kernel
  • ALFRED → — the daemon that drives the kernel AI interface
  • Curtain → — capability tokens consulted by the LSM hook
  • Forge → — reproducible kernel module signing