Coconut OS
github →
← back to overview/spec § 03 · how — the load-bearing line

The capability bundle is the primary access-control object.

Linux today layers DAC, capabilities, SELinux, AppArmor. For agent workloads it's the wrong primitive set. Coconut OS makes capability primary and reduces DAC to a legacy compat layer for unmodified binaries.

§ 03.1 — capability presentation

Denied at the syscall, before VFS.

  1. userspace
    agent issues syscall
    open("/home/maya/notes", O_RDONLY)
  2. libcoconut
    present capability
    agent_cap_present(aid, cap.fs.read)
  3. security/coconut
    LSM hook gates the call
    lookup cap_set bound at spawn
  4. kernel/audit
    audit append · chain-sealed
    ev=cap_use · chain=blake3:…
  5. kernel
    VFS executes — or returns -ECAPABILITY
    no cap = no reach · deny before the operation
grant
syscall returns · audit row sealed
deny
-ECAPABILITY · parent agent notified
capability presentation is in the syscall hot path — never bypassable from userspace

An agent that was not granted cap.fs.read("/home/maya/.ssh") literally cannot read that path — the syscall returns -ECAPABILITY before reaching the VFS layer. The mechanism is closer to seL4 and Capsicum than to Linux's hybrid capability-over-DAC overlay.

§ 03.2 — the audit chain

Tamper-evident, BLAKE3-chained, rooted in TPM-NV.

TPM-NV root
→ initial chain head
  1. [1.881]agent_spawnaid=a:00001
  2. [1.883]cap_grantaid=a:00001
  3. [2.046]cap_denyaid=a:00017
  4. [2.047]audit_alertaid=
appends
kernel-side · per-CPU FIFO
signs
coconutd at rotation · ed25519
verifies
any reader · forward-replay
format · structure · rotation cadence all canonical · key ceremony details land with the security drop

Every agent-relevant event — spawn, capability grant, capability use, capability denial, resource consumption above threshold, exit — appends to a tamper-evident hash chain. On supported hardware the chain is rooted in a TPM-NV-sealed key; on non-TPM hardware a documented software root with stated attack model.

off-by-N between LSM-deny counters and audit-event counters is a P0 release-blocker · NFR-024

§ 03.3 — adversary model

Five in-scope classes at v1.0.

A1
Hostile agent

LLM-driven agent that has been fed a hostile document or has a buggy manifest.

cannot › Cannot read/write outside cap.fs.*, connect outside cap.net.*, exceed quota, or delegate caps the parent doesn't have.

A2
Compromised supply chain

Adversary who acquires a signing key and pushes a malicious package.

cannot › Cannot ship code running with caps NOT declared in the package metadata; cannot evade signature verification at install + update.

A3
Local non-agent process

Legacy Linux app via XWayland or DAC compat layer attempting to read agent state.

cannot › Cannot read another agent's audit segment without cap.audit.read; cannot modify past audit events; cannot spawn agents outside agent_spawn.

A4
Network attacker

Adversary on the wire between user and box, or between cluster nodes.

cannot › Cannot decrypt TLS-protected :8443, forge GPG-signed packages, or replay attestation across reboots (TPM-rooted).

A5
Insider with admin caps

Operator with cap.admin.* who turns hostile.

cannot › Cannot tamper with past audit events; cannot sign packages as Coconut Labs / operator-root; cannot remove their own audit footprint.

held back

Out-of-scope classes (physical attack, kernel zero-days, TPM firmware compromise, quantum break of BLAKE3/Ed25519) are listed with mitigation pointers in the full threat model. CVE SLA + key-revocation procedure + Trail of Bits engagement details land with the security drop.

← prev · spec § 02
The architecture
One ISO, two install profiles, six layers — modified mm/, fs/, cred.c, sched/, cgroup/ plus
next · spec § 04
Roadmap
12-18 months to v1.0. Then a four-year curve to the default substrate.