[kernel] Add capabilities to handles

This change finally adds capabilities to handles. Included changes: - j6_handle_t is now again 64 bits, with the highest 8 bits being a type code, and the next highest 24 bits being the capability mask, so that programs can check type/caps without calling the kernel. - The definitions grammar now includes a `capabilities [ ]` section on objects, to list what capabilities are relevant. - j6/caps.h is auto-generated from object capability lists - init_libj6 again sets __handle_self and __handle_sys, this is a bit of a hack. - A new syscall, j6_handle_list, will return the list of existing handles owned by the calling process. - syscall_verify.cpp.cog now actually checks that the needed capabilities exist on handles before allowing the call.
2025-12-10 00:14:32 -08:00 · 2022-01-28 01:49:26 -08:00
parent 9b75acf0b5
commit f1246f84e0
38 changed files with 290 additions and 177 deletions
--- a/src/kernel/kernel.module
+++ b/src/kernel/kernel.module
@@ -53,6 +53,7 @@ kernel = module("kernel",
        "syscalls.inc.cog",
        "syscalls/channel.cpp",
        "syscalls/endpoint.cpp",
+        "syscalls/handle.cpp",
        "syscalls/object.cpp",
        "syscalls/process.cpp",
        "syscalls/system.cpp",
--- a/src/kernel/objects/channel.h
+++ b/src/kernel/objects/channel.h
@@ -2,6 +2,7 @@
 /// \file channel.h
 /// Definition of channel objects and related functions

+#include <j6/caps.h>
 #include <j6/signals.h>
 #include <util/bip_buffer.h>
 #include <util/counted.h>
@@ -17,7 +18,7 @@ class channel :
 {
 public:
    /// Capabilities on a newly constructed channel handle
-    constexpr static j6_cap_t creation_caps = 0;
+    constexpr static j6_cap_t creation_caps = j6_cap_channel_all;

    channel();
    virtual ~channel();
--- a/src/kernel/objects/endpoint.h
+++ b/src/kernel/objects/endpoint.h
@@ -2,6 +2,7 @@
 /// \file endpoint.h
 /// Definition of endpoint kobject types

+#include <j6/caps.h>
 #include <j6/signals.h>
 #include <util/spinlock.h>
 #include <util/vector.h>
@@ -16,7 +17,7 @@ class endpoint :
 {
 public:
    /// Capabilities on a newly constructed endpoint handle
-    constexpr static j6_cap_t creation_caps = 0;
+    constexpr static j6_cap_t creation_caps = j6_cap_endpoint_all;

    endpoint();
    virtual ~endpoint();
--- a/src/kernel/objects/handle.h
+++ b/src/kernel/objects/handle.h
@@ -9,34 +9,40 @@ namespace obj {

 struct handle
 {
-    inline handle(j6_handle_t in_id, kobject *in_object, j6_cap_t in_caps) :
-        id {in_id}, object {in_object}, caps {in_caps} {
+    // A j6_handle_t is an id in the low 32 bits, caps in bits 32-55, and type in 56-63
+    static inline j6_handle_t make_id(j6_handle_t id, j6_cap_t caps, kobject *obj) {
+        return (id & 0xffffffffull) |
+            static_cast<j6_handle_t>(caps) << 32 |
+            static_cast<j6_handle_t>(obj ? obj->get_type() : kobject::type::none) << 56;
+    }
+
+    inline handle(j6_handle_t in_id, kobject *in_obj, j6_cap_t caps) :
+        id {make_id(in_id, caps, in_obj)}, object {in_obj} {
        if (object) object->handle_retain();
    }

    inline handle(const handle &other) :
-        id {other.id}, object {other.object}, caps {other.caps} {
+        id {other.id}, object {other.object} {
        if (object) object->handle_retain();
    }

    inline handle(handle &&other) :
-        id {other.id}, object {other.object}, caps {other.caps} {
+        id {other.id}, object {other.object} {
        other.id = 0;
-        other.caps = 0;
        other.object = nullptr;
    }

    inline handle & operator=(const handle &other) {
        if (object) object->handle_release();
-        id = other.id; caps = other.caps; object = other.object;
+        id = other.id; object = other.object;
        if (object) object->handle_retain();
        return *this;
    }

    inline handle & operator=(handle &&other) {
        if (object) object->handle_release();
-        id = other.id; caps = other.caps; object = other.object;
-        other.id = other.caps = 0; other.object = nullptr;
+        id = other.id; object = other.object;
+        other.id = 0; other.object = nullptr;
        return *this;
    }

@@ -44,12 +50,14 @@ struct handle
        if (object) object->handle_release();
    }

+    inline j6_cap_t caps() const { return id >> 32; }
+
    inline bool has_cap(j6_cap_t test) const {
-        return (caps & test) == test;
+        return (caps() & test) == test;
    }

    inline kobject::type type() const {
-        return object->get_type();
+        return static_cast<kobject::type>(id >> 56);
    }

    inline int compare(const handle &o) {
@@ -75,7 +83,6 @@ struct handle
    inline const kobject * as<kobject>() const { return object; }

    j6_handle_t id;
-    j6_cap_t caps;
    kobject *object;
 };

--- a/src/kernel/objects/kobject.h
+++ b/src/kernel/objects/kobject.h
@@ -16,7 +16,7 @@ class kobject
 {
 public:
    /// Types of kernel objects.
-    enum class type : uint16_t
+    enum class type : uint8_t
    {
 #define OBJECT_TYPE( name, val ) name = val,
 #include <j6/tables/object_types.inc>
--- a/src/kernel/objects/process.cpp
+++ b/src/kernel/objects/process.cpp
@@ -22,8 +22,7 @@ process::process() :
    m_next_handle {1},
    m_state {state::running}
 {
-    j6_handle_t self = add_handle(this, process::self_caps);
-    kassert(self == self_handle(), "Process self-handle is not 1");
+    m_self_handle = add_handle(this, process::self_caps);
 }

 // The "kernel process"-only constructor
@@ -129,9 +128,10 @@ process::add_handle(kobject *obj, j6_cap_t caps)
    if (!obj)
        return j6_handle_invalid;

-    j6_handle_t id = m_next_handle++;
-    m_handles.insert(id, {id, obj, caps});
+    handle h {m_next_handle++, obj, caps};
+    j6_handle_t id = h.id;

+    m_handles.insert(id, h);
    return id;
 }

@@ -147,4 +147,16 @@ process::lookup_handle(j6_handle_t id)
    return m_handles.find(id);
 }

+size_t
+process::list_handles(j6_handle_t *handles, size_t len)
+{
+    for (const auto &i : m_handles) {
+        if (len-- == 0)
+            break;
+        *handles++ = i.key;
+    }
+
+    return m_handles.count();
+}
+
 } // namespace obj
--- a/src/kernel/objects/process.h
+++ b/src/kernel/objects/process.h
@@ -2,6 +2,7 @@
 /// \file process.h
 /// Definition of process kobject types

+#include <j6/caps.h>
 #include <util/map.h>
 #include <util/vector.h>

@@ -17,10 +18,10 @@ class process :
 {
 public:
    /// Capabilities on a newly constructed process handle
-    constexpr static j6_cap_t creation_caps = 0;
+    constexpr static j6_cap_t creation_caps = j6_cap_process_all;

    /// Capabilities on a process to itself
-    constexpr static j6_cap_t self_caps = 0;
+    constexpr static j6_cap_t self_caps = j6_cap_process_all;

    /// Top of memory area where thread stacks are allocated
    constexpr static uintptr_t stacks_top = 0x0000800000000000;
@@ -74,13 +75,19 @@ public:
    /// \returns     Pointer to the handle struct, or null if not found
    handle * lookup_handle(j6_handle_t handle);

+    /// Get the list of handle ids this process owns
+    /// \arg handles  Pointer to an array of handles to copy into
+    /// \arg len      Size of the array
+    /// \returns      Total number of handles (may be more than number copied)
+    size_t list_handles(j6_handle_t *handles, size_t len);
+
    /// Inform the process of an exited thread
    /// \args th  The thread which has exited
    /// \returns  True if this thread ending has ended the process
    bool thread_exited(thread *th);

    /// Get the handle for this process to refer to itself
-    inline j6_handle_t self_handle() const { return 1; }
+    inline j6_handle_t self_handle() const { return m_self_handle; }

    /// Get the process object that owns kernel threads and the
    /// kernel address space
@@ -95,6 +102,7 @@ private:
    // This constructor is called by create_kernel_process
    process(page_table *kpml4);

+    j6_handle_t m_self_handle;
    int32_t m_return_code;

    vm_space m_space;
--- a/src/kernel/objects/system.h
+++ b/src/kernel/objects/system.h
@@ -2,6 +2,7 @@
 /// \file system.h
 /// Definition of kobject type representing the system

+#include <j6/caps.h>
 #include "objects/kobject.h"

 namespace obj {
@@ -11,7 +12,7 @@ class system :
 {
 public:
    /// Capabilities on system given to init
-    constexpr static j6_cap_t init_caps = 0;
+    constexpr static j6_cap_t init_caps = j6_cap_system_all;

    static constexpr kobject::type type = kobject::type::system;

--- a/src/kernel/objects/thread.h
+++ b/src/kernel/objects/thread.h
@@ -2,6 +2,7 @@
 /// \file thread.h
 /// Definition of thread kobject types

+#include <j6/caps.h>
 #include <util/enum_bitfields.h>
 #include <util/linked_list.h>
 #include <util/spinlock.h>
@@ -60,10 +61,10 @@ class thread :
 {
 public:
    /// Capabilities on a newly constructed thread handle
-    constexpr static j6_cap_t creation_caps = 0;
+    constexpr static j6_cap_t creation_caps = j6_cap_thread_all;

    /// Capabilities the parent process gets on new thread handles
-    constexpr static j6_cap_t parent_caps = 0;
+    constexpr static j6_cap_t parent_caps = j6_cap_thread_all;

    enum class state : uint8_t {
        ready    = 0x01,
--- a/src/kernel/objects/vm_area.h
+++ b/src/kernel/objects/vm_area.h
@@ -5,6 +5,7 @@
 #include <stddef.h>
 #include <stdint.h>

+#include <j6/caps.h>
 #include <j6/signals.h>
 #include <util/vector.h>
 #include <util/enum_bitfields.h>
@@ -34,7 +35,7 @@ class vm_area :
 {
 public:
    /// Capabilities on a newly constructed vma handle
-    constexpr static j6_cap_t creation_caps = 0;
+    constexpr static j6_cap_t creation_caps = j6_cap_vma_all;

    static constexpr kobject::type type = kobject::type::vma;

--- a/src/kernel/syscall_verify.cpp.cog
+++ b/src/kernel/syscall_verify.cpp.cog
@@ -2,6 +2,7 @@

 #include <stdint.h>
 #include <arch/memory.h>
+#include <j6/caps.h>
 #include <j6/errors.h>
 #include <j6/types.h>
 #include <util/counted.h>
@@ -36,6 +37,10 @@ using util::buffer;
 /*[[[cog code generation
 cbool = {True: "true", False: "false"}

+def get_caps(opts, type):
+    caps = opts.get("cap", list())
+    return [f"j6_cap_{type.name}_{c}" for c in caps]
+
 for id, scope, method in syscalls.methods:
    if scope:
        name = f"{scope.name}_{method.name}"
@@ -58,7 +63,11 @@ for id, scope, method in syscalls.methods:
        argdefs.append("j6_handle_t self")
        cxxargdefs.append(f"obj::{scope.cname} *self")
        args.append("self_obj")
-        handles.append((f"obj::{scope.cname} *", "self", "self_obj"))
+        handles.append((
+            f"obj::{scope.cname} *",
+            "self",
+            "self_obj",
+            get_caps(method.options, scope)))

    for param in method.params:
        needs_obj = param.type.needs_object(param.options)
@@ -73,7 +82,7 @@ for id, scope, method in syscalls.methods:

            if needs_obj:
                oarg = f"{arg}_obj"
-                handles.append((type, arg, oarg))
+                handles.append((type, arg, oarg, get_caps(param.options, param.type.object)))
                args.append(oarg)
            else:
                args.append(arg)
@@ -94,12 +103,18 @@ for id, scope, method in syscalls.methods:
        cog.outl( "        return j6_err_invalid_arg;")
        cog.outl()

-    for type, inarg, outarg in handles:
+    for type, inarg, outarg, caps in handles:
        if type.endswith('*'):
            type = type[:-1].strip()

        cog.outl(f"    obj::handle *{inarg}_handle = get_handle<typename {type}>({inarg});")
        cog.outl(f"    if (!{inarg}_handle) return j6_err_invalid_arg;")
+
+        if caps:
+            allcaps = " | ".join(caps)
+            cog.outl(f"    j6_cap_t {inarg}_caps_req = {allcaps};")
+            cog.outl(f"    if (!{inarg}_handle->has_cap({inarg}_caps_req)) return j6_err_denied;")
+
        cog.outl(f"    {type} *{outarg} = {inarg}_handle->as<typename {type}>();")
        cog.outl(f"    if (!{outarg}) return j6_err_invalid_arg;")
        cog.outl()
--- a/src/kernel/syscalls/handle.cpp
+++ b/src/kernel/syscalls/handle.cpp
@@ -0,0 +1,27 @@
+#include <j6/errors.h>
+#include <j6/types.h>
+
+#include "objects/process.h"
+
+using namespace obj;
+
+namespace syscalls {
+
+j6_status_t
+handle_list(j6_handle_t *handles, size_t *handles_len)
+{
+    if (!handles_len || (*handles_len && !handles))
+        return j6_err_invalid_arg;
+
+    process &p = process::current();
+    size_t requested = *handles_len;
+
+    *handles_len = p.list_handles(handles, requested);
+
+    if (*handles_len < requested)
+        return j6_err_insufficient;
+
+    return j6_status_ok;
+}
+
+} // namespace syscalls
--- a/src/libraries/j6/include/j6/caps.h.cog
+++ b/src/libraries/j6/include/j6/caps.h.cog
@@ -0,0 +1,25 @@
+#pragma once
+// vim: ft=cpp
+
+/// \file caps.h
+/// Capability bitfield constants
+
+/*[[[cog code generation
+from definitions.context import Context
+
+ctx = Context(definitions_path)
+ctx.parse("syscalls.def")
+syscalls = ctx.interfaces["syscalls"]
+
+for obj in syscalls.exposes:
+    i = 0
+    for cap in obj.object.caps:
+        name = f"j6_cap_{obj.object.name}_{cap}"
+        cog.outl(f"#define {name:<30} (1 << {i})")
+        i += 1
+
+    name = f"j6_cap_{obj.object.name}_all"
+    cog.outl(f"#define {name:<30} ((1<<{i})-1)")
+    cog.outl()
+]]]*/
+/// [[[end]]]
--- a/src/libraries/j6/include/j6/errors.h
+++ b/src/libraries/j6/include/j6/errors.h
@@ -18,4 +18,5 @@
 #define j6_err_not_ready            j6_err(0x0004)
 #define j6_err_insufficient         j6_err(0x0005)
 #define j6_err_timed_out            j6_err(0x0006)
+#define j6_err_denied               j6_err(0x0007)

--- a/src/libraries/j6/include/j6/types.h
+++ b/src/libraries/j6/include/j6/types.h
@@ -27,14 +27,16 @@ typedef uint64_t j6_tag_t;
 #define j6_tag_from_irq(x)    ((x) | j6_tag_irq_base)
 #define j6_tag_to_irq(x)      ((x) & ~j6_tag_irq_base)

-/// Handles are references and capabilities to other objects.
-typedef uint32_t j6_handle_t;
+/// Handles are references and capabilities to other objects. A handle is
+/// an id in the lower 32 bits, a bitfield of capabilities in bits 32-55
+/// and a type id in bits 56-63.
+typedef uint64_t j6_handle_t;
+
+/// Bitfield for storage of capabilities on their own
+typedef uint32_t j6_cap_t;

 #define j6_handle_invalid ((j6_handle_t)-1)

-/// Bitfield for storage of capabilities
-typedef uint32_t j6_cap_t;
-
 enum j6_object_type {
 #define OBJECT_TYPE( name, val ) j6_object_type_ ## name = val,
 #include <j6/tables/object_types.inc>
--- a/src/libraries/j6/init.cpp
+++ b/src/libraries/j6/init.cpp
@@ -3,45 +3,47 @@
 #ifndef __j6kernel

 #include <stdint.h>
+#include <j6/errors.h>
 #include <j6/init.h>
+#include <j6/syscalls.h>
 #include <j6/types.h>

-static size_t __initc = 0;
-static struct j6_init_value *__initv = 0;
-
 j6_handle_t __handle_sys = j6_handle_invalid;
 j6_handle_t __handle_self = j6_handle_invalid;

-extern "C" void
-_get_init(size_t *initc, struct j6_init_value **initv)
-{
-    if (!initc)
-        return;
+namespace {
+    constexpr size_t __static_arr_size = 4;
+    j6_handle_t __handle_array[__static_arr_size];

-    *initc = __initc;
-    if (initv)
-        *initv = __initv;
-}
+    static j6_status_t
+    __load_handles()
+    {
+        size_t count = __static_arr_size;
+        j6_handle_t *handles = __handle_array;
+        j6_status_t s = j6_handle_list(handles, &count);
+
+        if (s != j6_err_insufficient && s != j6_status_ok)
+            return s;
+
+        if (count > __static_arr_size)
+            count = __static_arr_size;
+
+        for (size_t i = 0; i < count; ++i) {
+            uint8_t type = (handles[i] >> 56);
+            if (type == j6_object_type_system && __handle_sys == j6_handle_invalid)
+                __handle_sys = handles[i];
+            else if (type == j6_object_type_process && __handle_self == j6_handle_invalid)
+                __handle_self = handles[i];
+        }
+
+        return s;
+    }
+} // namespace

 extern "C" void
 _init_libj6(uint64_t *rsp)
 {
-    uint64_t argc = *rsp++;
-    rsp += argc;
-
-    __initc = *rsp++;
-    __initv = (struct j6_init_value *)rsp;
-
-    for (unsigned i = 0; i < __initc; ++i) {
-        if (__initv[i].type == j6_init_handle_other &&
-            __initv[i].handle.type == j6_object_type_system) {
-            __handle_sys = __initv[i].handle.handle;
-        }
-        else if (__initv[i].type == j6_init_handle_self &&
-            __initv[i].handle.type == j6_object_type_process) {
-            __handle_self = __initv[i].handle.handle;
-        }
-    }
+    __load_handles();
 }

 #endif // __j6kernel
--- a/src/libraries/j6/j6.module
+++ b/src/libraries/j6/j6.module
@@ -5,6 +5,7 @@ j6 = module("j6",
    includes = [ "include" ],
    sources = [
        "init.cpp",
+        "include/j6/caps.h.cog",
        "include/j6/syscalls.h.cog",
        "include/j6/sysconf.h.cog",
        "syscalls.s.cog",
@@ -18,6 +19,7 @@ sysconf = join(source_root, "definitions/sysconf.yaml")
 definitions = glob('definitions/**/*.def', recursive=True)

 j6.add_depends([
+        "include/j6/caps.h.cog",
        "include/j6/syscalls.h.cog",
        "syscalls.s.cog",
    ], definitions)
--- a/src/libraries/libc/j6libc/sbrk.c
+++ b/src/libraries/libc/j6libc/sbrk.c
@@ -3,7 +3,7 @@
 #include <j6/syscalls.h>
 //void *sbrk(intptr_t) __attribute__ ((weak));

-static j6_handle_t __core_handle = 0;
+static j6_handle_t __core_handle = j6_handle_invalid;
 static intptr_t __core_size = 0;

 static const uintptr_t __core_base = 0x1c0000000;
--- a/src/user/drv.uart/main.cpp
+++ b/src/user/drv.uart/main.cpp
@@ -18,8 +18,8 @@ extern "C" {
    int main(int, const char **);
 }

-constexpr j6_handle_t handle_self = 1;
-constexpr j6_handle_t handle_sys = 2;
+extern j6_handle_t __handle_self;
+extern j6_handle_t __handle_sys;

 struct entry
 {
@@ -76,13 +76,13 @@ log_pump_proc()
    void *message_buffer = nullptr;
    char stringbuf[300];

-    j6_status_t result = j6_system_request_iopl(handle_sys, 3);
+    j6_status_t result = j6_system_request_iopl(__handle_sys, 3);
    if (result != j6_status_ok)
        return;

    while (true) {
        size_t size = buffer_size;
-        j6_status_t s = j6_system_get_log(handle_sys, message_buffer, &size);
+        j6_status_t s = j6_system_get_log(__handle_sys, message_buffer, &size);

        if (s == j6_err_insufficient) {
            free(message_buffer);
@@ -96,7 +96,7 @@ log_pump_proc()

        if (size == 0) {
            j6_signal_t sigs = 0;
-            j6_kobject_wait(handle_sys, j6_signal_system_has_log, &sigs);
+            j6_kobject_wait(__handle_sys, j6_signal_system_has_log, &sigs);
            continue;
        }

@@ -121,7 +121,7 @@ main(int argc, const char **argv)
    j6_handle_t endp = j6_handle_invalid;
    j6_status_t result = j6_status_ok;

-    result = j6_system_request_iopl(handle_sys, 3);
+    result = j6_system_request_iopl(__handle_sys, 3);
    if (result != j6_status_ok)
        return result;

@@ -129,11 +129,11 @@ main(int argc, const char **argv)
    if (result != j6_status_ok)
        return result;

-    result = j6_system_bind_irq(handle_sys, endp, 3);
+    result = j6_system_bind_irq(__handle_sys, endp, 3);
    if (result != j6_status_ok)
        return result;

-    result = j6_system_bind_irq(handle_sys, endp, 4);
+    result = j6_system_bind_irq(__handle_sys, endp, 4);
    if (result != j6_status_ok)
        return result;

@@ -153,7 +153,7 @@ main(int argc, const char **argv)
    sp[0] = sp[1] = 0;

    j6_handle_t child = j6_handle_invalid;
-    result = j6_thread_create(&child, handle_self, stack_top - 0x10, reinterpret_cast<uintptr_t>(&log_pump_proc));
+    result = j6_thread_create(&child, __handle_self, stack_top - 0x10, reinterpret_cast<uintptr_t>(&log_pump_proc));
    if (result != j6_status_ok)
        return result;

--- a/src/user/drv.uefi_fb/main.cpp
+++ b/src/user/drv.uefi_fb/main.cpp
@@ -37,7 +37,6 @@ main(int argc, const char **argv)

    size_t initc = 0;
    j6_init_value *initv = nullptr;
-    _get_init(&initc, &initv);

    j6_init_framebuffer *fb = nullptr;
    for (unsigned i = 0; i < initc; ++i) {
--- a/src/user/srv.init/loader.cpp
+++ b/src/user/srv.init/loader.cpp
@@ -12,8 +12,8 @@
 using bootproto::module_flags;
 using bootproto::module_program;

-extern j6_handle_t handle_self;
-extern j6_handle_t handle_system;
+extern j6_handle_t __handle_self;
+extern j6_handle_t __handle_sys;

 constexpr uintptr_t load_addr_base = 0xf8000000;
 constexpr size_t stack_size = 0x10000;
@@ -28,13 +28,13 @@ load_program(const module_program &prog, char *err_msg)
    }

    j6_handle_t elf_vma = j6_handle_invalid;
-    j6_status_t res = j6_system_map_phys(handle_system, &elf_vma, prog.base_address, prog.size, 0);
+    j6_status_t res = j6_system_map_phys(__handle_sys, &elf_vma, prog.base_address, prog.size, 0);
    if (res != j6_status_ok) {
        sprintf(err_msg, "  ** error loading program '%s': creating physical vma: %lx", prog.filename, res);
        return false;
    }

-    res = j6_vma_map(elf_vma, handle_self, prog.base_address);
+    res = j6_vma_map(elf_vma, __handle_self, prog.base_address);
    if (res != j6_status_ok) {
        sprintf(err_msg, "  ** error loading program '%s': mapping vma: %lx", prog.filename, res);
        return false;
@@ -55,7 +55,7 @@ load_program(const module_program &prog, char *err_msg)
        return false;
    }

-    res = j6_process_give_handle(proc, handle_system, nullptr);
+    res = j6_process_give_handle(proc, __handle_sys, nullptr);
    if (res != j6_status_ok) {
        sprintf(err_msg, "  ** error loading program '%s': giving system handle: %lx", prog.filename, res);
        return false;
@@ -90,7 +90,7 @@ load_program(const module_program &prog, char *err_msg)
            return false;
        }

-        res = j6_vma_unmap(sub_vma, handle_self);
+        res = j6_vma_unmap(sub_vma, __handle_self);
        if (res != j6_status_ok) {
            sprintf(err_msg, "  ** error loading program '%s': unmapping sub vma: %lx", prog.filename, res);
            return false;
@@ -115,7 +115,7 @@ load_program(const module_program &prog, char *err_msg)
        return false;
    }

-    res = j6_vma_unmap(stack_vma, handle_self);
+    res = j6_vma_unmap(stack_vma, __handle_self);
    if (res != j6_status_ok) {
        sprintf(err_msg, "  ** error loading program '%s': unmapping stack vma: %lx", prog.filename, res);
        return false;
@@ -128,7 +128,7 @@ load_program(const module_program &prog, char *err_msg)
        return false;
    }

-    res = j6_vma_unmap(elf_vma, handle_self);
+    res = j6_vma_unmap(elf_vma, __handle_self);
    if (res != j6_status_ok) {
        sprintf(err_msg, "  ** error loading program '%s': unmapping elf vma: %lx", prog.filename, res);
        return false;
--- a/src/user/srv.init/main.cpp
+++ b/src/user/srv.init/main.cpp
@@ -1,6 +1,9 @@
 #include <stdio.h>
+#include <stdlib.h>

+#include <j6/errors.h>
 #include <j6/syscalls.h>
+#include <j6/types.h>
 #include <bootproto/init.h>

 #include "loader.h"
@@ -16,15 +19,15 @@ extern "C" {

 uintptr_t _arg_modules_phys;   // This gets filled in in _start

-j6_handle_t handle_self   = 1; // Self program handle is always 1
-j6_handle_t handle_system = 2; // boot protocol is that init gets the system as handle 2
+extern j6_handle_t __handle_self;
+extern j6_handle_t __handle_sys;

 int
 main(int argc, const char **argv)
 {
    j6_log("srv.init starting");

-    modules mods = modules::load_modules(_arg_modules_phys, handle_system, handle_self);
+    modules mods = modules::load_modules(_arg_modules_phys, __handle_sys, __handle_self);

    for (auto &mod : mods.of_type(module_type::program)) {
        auto &prog = static_cast<const module_program&>(mod);