Security
Solnix is a security-focused programming language designed for writing verifier-safe eBPF programs that execute inside the Linux kernel. Security is a primary design goal of the language, compiler, and tooling.
Security model
Solnix programs execute in the Linux kernel via eBPF and are subject to strict safety guarantees enforced by the kernel verifier. The Solnix compiler is designed to emit verifier-compliant bytecode and prevent unsafe constructs at compile time whenever possible.
- Verifier-safe control flow and memory access
- Restricted pointer arithmetic
- Explicit bounds and map access validation
- No unbounded loops or unsafe recursion
Experimental status
Solnix is currently in experimental preview. The language, compiler, and execution model are under active development and may contain bugs or incomplete safety checks.
Do not deploy Solnix in production or security-critical environments at this stage.
Reporting security issues
If you discover a security vulnerability in the Solnix compiler, language semantics, or generated eBPF programs, please report it responsibly.
- Open a private GitHub security advisory if possible
- If private reporting is not available, open a GitHub issue with minimal details and request a private follow-up
Please avoid publicly disclosing vulnerabilities until they have been reviewed and addressed.
Security scope
The Solnix security scope includes:
- The Solnix compiler and code generation
- Language semantics that may affect verifier safety
- Incorrect or unsafe eBPF output
- Documentation errors that could lead to unsafe usage
Issues in the Linux kernel, eBPF verifier, or external tooling are outside the Solnix project scope.
Best practices
- Test all policies on non-production systems
- Review generated eBPF bytecode when possible
- Follow kernel and eBPF security guidelines
- Keep Solnix and your kernel up to date