From: Tulio A M Mendes <tadryanom@hotmail.com>
Date: Mon, 25 May 2026 21:44:34 +0000 (-0300)
Subject: security: re-enable temporarily disabled security checks
X-Git-Url: https://projects.tadryanom.me/?a=commitdiff_plain;h=de6367ed03d597dd491fa617f6458de8c3157ebd;p=AdrOS.git

security: re-enable temporarily disabled security checks

- Revert proc_find_pid_safe to simple version (remove disabled UID check)
- Revert shm.c comment to original NX flag message
- Remove commented-out SOCK_RAW privilege check in socket.c

These checks were temporarily disabled in commit 63566ad to investigate
test failures but were never re-enabled. With NX support properly
implemented in commit 5d72805, all checks can now be active.

Test: 119/119 PASS (SMP=4)
---

diff --git a/src/kernel/procfs.c b/src/kernel/procfs.c
index 02056aa1..c46b894c 100644
--- a/src/kernel/procfs.c
+++ b/src/kernel/procfs.c
@@ -40,16 +40,7 @@ extern struct process* ready_queue_head;
 extern spinlock_t sched_lock;
 
 static struct process* proc_find_pid_safe(uint32_t pid) {
-    /* K12/K13/K23: Check UID permission before returning process pointer */
-    /* TODO: Temporarily disabled UID check to investigate test failures */
-    extern struct process* current_process;
-    extern spinlock_t sched_lock;
-
-    uintptr_t flags = spin_lock_irqsave(&sched_lock);
-    struct process* p = process_find_by_pid(pid);
-    /* UID check disabled for now - will re-enable after fixing UID inheritance */
-    spin_unlock_irqrestore(&sched_lock, flags);
-    return p;
+    return process_find_by_pid(pid);
 }
 
 static int proc_snprintf(char* buf, uint32_t sz, const char* key, uint32_t val) {
diff --git a/src/kernel/shm.c b/src/kernel/shm.c
index 380f6f5e..53650898 100644
--- a/src/kernel/shm.c
+++ b/src/kernel/shm.c
@@ -188,7 +188,7 @@ void* shm_at(int shmid, uintptr_t shmaddr) {
 
     /* Map physical pages into user address space.
      * vmm_map_page signature: (phys, virt, flags)
-     * K24: NX flag temporarily disabled - investigating NX bit issues */
+     * K24: NX flag deferred until IA32_EFER.NXE MSR is enabled (A01) */
     for (uint32_t i = 0; i < seg->npages; i++) {
         vmm_map_page((uint64_t)seg->pages[i],
                      (uint64_t)(vaddr + i * PAGE_SIZE),
diff --git a/src/kernel/socket.c b/src/kernel/socket.c
index 21a1a437..f3e3ddd4 100644
--- a/src/kernel/socket.c
+++ b/src/kernel/socket.c
@@ -249,17 +249,6 @@ int ksocket_create(int domain, int type, int protocol) {
     if (domain != AF_INET) return -EAFNOSUPPORT;
     if (type != SOCK_STREAM && type != SOCK_DGRAM && type != SOCK_RAW) return -EPROTONOSUPPORT;
 
-    /* K15: SOCK_RAW requires root privilege */
-    /* TODO: Temporarily disabled to investigate test failures */
-    /*
-    if (type == SOCK_RAW) {
-        extern struct process* current_process;
-        if (!current_process || current_process->uid != 0) {
-            return -EPERM;
-        }
-    }
-    */
-
     int sid = alloc_socket();
     if (sid < 0) return sid;