Linux compatibility

Peios runs Linux software with little to no modification. The Linux identity APIs — getuid, getgid, capset, setuid — return values projected from the KACS model. Compatibility is best-effort; Peios does not carve out exceptions in KACS to accommodate Linux. This page covers how the projection works and where the compatibility boundary lies.

The token's identity is projected into the Linux UID/GID fields, computed once from the directory's SID-to-UID mapping and cached on the token. Standard Linux syscalls return these projected values; the kernel never trusts them as authoritative. This page covers the projection mechanism, how impersonation affects what Linux APIs see, and the rule that no Linux API writes back to the token.

Linux's classical DAC (file mode bits) and capability checks run before KACS hooks. To prevent DAC from refusing accesses that KACS would allow, every process carries a mandatory capability substrate that defers DAC checks to LSM. The 41 Linux capabilities are classified as ALLOW, PRIVILEGE, or DENY. This page covers the model.

The setuid family of syscalls is reinterpreted under Peios. Without SeAssignPrimaryTokenPrivilege the call is a no-op; with it, the call triggers a full identity swap via authd. The setuid bit on exec follows the same rule. The uid0 utility offers a cosmetic UID=0 view for legacy programs. This page covers the semantics.

SO_PEERCRED and SCM_CREDENTIALS return the peer's projected UID/GID — useful for compatibility but insufficient for security decisions. Services that need to authenticate a connecting peer for access control use kacs_open_peer_token instead. This page covers the two Linux mechanisms, their projection semantics, and the right replacement.

Some Linux features survive on Peios for compatibility but are superseded and outside Peios's recommended surface. They still work as they do on Linux; Peios does not document them in depth. This page lists them, with the privilege each needs and where to look instead.