nucleus-container 0.3.2

Extremely lightweight Docker alternative for agents and production services — isolated execution using cgroups, namespaces, seccomp, Landlock, and gVisor
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196

/// Model-based tests for security module
///
/// These tests verify that the Rust implementation matches the TLA+ specification
/// defined in Nucleus_Security_SecurityEnforcement.tla
///
/// Properties verified:
/// - irreversible_lockdown: Once security layers are applied, can only move forward to locked
/// - no_privilege_escalation: Cannot return to privileged state after dropping capabilities
/// - Terminal state stability: Locked state is terminal
use nucleus::security::SecurityState;
use nucleus::StateTransition;

#[test]
fn test_security_state_machine_valid_path() {
    // Verify the happy path: privileged -> capabilities_dropped -> seccomp_applied -> landlock_applied -> locked
    let states = [
        SecurityState::Privileged,
        SecurityState::CapabilitiesDropped,
        SecurityState::SeccompApplied,
        SecurityState::LandlockApplied,
        SecurityState::Locked,
    ];

    for i in 0..states.len() - 1 {
        assert!(
            states[i].can_transition_to(&states[i + 1]),
            "Invalid transition from {:?} to {:?}",
            states[i],
            states[i + 1]
        );
    }
}

#[test]
fn test_security_property_irreversible_lockdown() {
    // Property from TLA+: [][(state = seccomp_applied) => ((state' = seccomp_applied) \/ (state' = locked))]
    // Once seccomp is applied, can only stay or move to locked

    let state = SecurityState::SeccompApplied;

    // Valid transitions
    assert!(state.can_transition_to(&SecurityState::SeccompApplied));
    assert!(state.can_transition_to(&SecurityState::LandlockApplied));

    // Invalid transitions (cannot skip to locked, cannot go backwards)
    assert!(!state.can_transition_to(&SecurityState::Locked));
    assert!(!state.can_transition_to(&SecurityState::Privileged));
    assert!(!state.can_transition_to(&SecurityState::CapabilitiesDropped));

    // Landlock also has irreversible lockdown property
    let ll_state = SecurityState::LandlockApplied;
    assert!(ll_state.can_transition_to(&SecurityState::LandlockApplied));
    assert!(ll_state.can_transition_to(&SecurityState::Locked));
    assert!(!ll_state.can_transition_to(&SecurityState::Privileged));
    assert!(!ll_state.can_transition_to(&SecurityState::CapabilitiesDropped));
    assert!(!ll_state.can_transition_to(&SecurityState::SeccompApplied));
}

#[test]
fn test_security_property_no_privilege_escalation() {
    // Property from TLA+: [][(state = capabilities_dropped) => (~(state' = privileged))]
    // Once capabilities are dropped, cannot return to privileged

    let state = SecurityState::CapabilitiesDropped;

    // Cannot go back to privileged
    assert!(!state.can_transition_to(&SecurityState::Privileged));

    // Valid forward transitions
    assert!(state.can_transition_to(&SecurityState::SeccompApplied));
}

#[test]
fn test_security_property_terminal_stable() {
    // Property from TLA+: [](state \in TerminalStates => [](state \in TerminalStates))
    // Terminal state is stable (cannot leave)

    let state = SecurityState::Locked;

    assert!(state.is_terminal());

    // Cannot transition to any other state
    assert!(!state.can_transition_to(&SecurityState::Privileged));
    assert!(!state.can_transition_to(&SecurityState::CapabilitiesDropped));
    assert!(!state.can_transition_to(&SecurityState::SeccompApplied));
    assert!(!state.can_transition_to(&SecurityState::LandlockApplied));

    // Can stay in same state (stuttering)
    assert!(state.can_transition_to(&SecurityState::Locked));
}

#[test]
fn test_security_property_liveness() {
    // Property from TLA+: <>(state \in {locked})
    // Eventually reaches locked state

    // We verify that there exists a path to Locked from any state
    let states = [
        SecurityState::Privileged,
        SecurityState::CapabilitiesDropped,
        SecurityState::SeccompApplied,
        SecurityState::LandlockApplied,
    ];

    for initial in states {
        // For each non-terminal state, verify there's a path to terminal
        assert!(
            !initial.is_terminal(),
            "{:?} should not be terminal",
            initial
        );

        // Verify we can reach a terminal state
        // (This is a simplified check - full path finding would be more complex)
        let mut current = initial;
        let mut can_progress = true;

        // Try to find path to terminal (max 10 steps)
        for _ in 0..10 {
            if current.is_terminal() {
                can_progress = true;
                break;
            }

            // Try next state in sequence
            current = match current {
                SecurityState::Privileged => SecurityState::CapabilitiesDropped,
                SecurityState::CapabilitiesDropped => SecurityState::SeccompApplied,
                SecurityState::SeccompApplied => SecurityState::LandlockApplied,
                SecurityState::LandlockApplied => SecurityState::Locked,
                SecurityState::Locked => break,
            };
        }

        assert!(
            can_progress,
            "Should be able to reach terminal from {:?}",
            initial
        );
    }
}

#[test]
fn test_security_all_transitions() {
    // Exhaustively test all possible transitions

    let all_states = [
        SecurityState::Privileged,
        SecurityState::CapabilitiesDropped,
        SecurityState::SeccompApplied,
        SecurityState::LandlockApplied,
        SecurityState::Locked,
    ];

    let valid_transitions = [
        (
            SecurityState::Privileged,
            SecurityState::CapabilitiesDropped,
        ),
        (
            SecurityState::CapabilitiesDropped,
            SecurityState::SeccompApplied,
        ),
        (
            SecurityState::SeccompApplied,
            SecurityState::LandlockApplied,
        ),
        (SecurityState::LandlockApplied, SecurityState::Locked),
        // Stuttering
        (SecurityState::Privileged, SecurityState::Privileged),
        (
            SecurityState::CapabilitiesDropped,
            SecurityState::CapabilitiesDropped,
        ),
        (SecurityState::SeccompApplied, SecurityState::SeccompApplied),
        (
            SecurityState::LandlockApplied,
            SecurityState::LandlockApplied,
        ),
        (SecurityState::Locked, SecurityState::Locked),
    ];

    // Test all transitions
    for from in &all_states {
        for to in &all_states {
            let should_be_valid = valid_transitions.contains(&(*from, *to));
            let is_valid = from.can_transition_to(to);

            assert_eq!(
                is_valid, should_be_valid,
                "Transition {:?} -> {:?}: expected {}, got {}",
                from, to, should_be_valid, is_valid
            );
        }
    }
}