ArmoredGate/volt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Volt CLI: source-available under AGPSL v5.0

Browse Source 
Complete infrastructure platform CLI:
- Container runtime (systemd-nspawn)
- VoltVisor VMs (Neutron Stardust / QEMU)
- Stellarium CAS (content-addressed storage)
- ORAS Registry
- GitOps integration
- Landlock LSM security
- Compose orchestration
- Mesh networking

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0
This commit is contained in:
Karl Clinger
2026-03-21 00:30:23 -05:00
commit 0ebe75b2ca
155 changed files with 63317 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

100
configs/images/desktop-productivity.yaml Normal file
View File

@@ -0,0 +1,100 @@
# Volt Image: Desktop Productivity
# Target density: 2,000+ per host
# Full VDI replacement with ODE
name: volt/desktop-productivity
version: "1.0"
description: "Full productivity desktop with ODE remote display"
# Base configuration
kernel: kernel-desktop
userland: glibc-standard
# Resource defaults
defaults:
memory: 2G
cpus: 2
network: default
# Included packages (shared)
packages:
# Core
- glibc
- systemd
- dbus
# Desktop environment (minimal GNOME or KDE)
- wayland
- sway # or gnome-shell-minimal
- xwayland
# Productivity
- libreoffice
- firefox
- thunderbird
# Utilities
- file-manager
- terminal
- text-editor
# ODE
- ode-server
# Init system
init:
type: systemd
target: graphical.target
# Shell
shell: /bin/bash
# Display configuration
display:
compositor: sway
resolution: 1920x1080
dpi: 96
# ODE configuration
ode:
enabled: true
default_profile: office
profiles:
- terminal
- office
- creative
# Security policy
security:
landlock_profile: desktop
seccomp_profile: desktop
capabilities:
drop:
- SYS_ADMIN
- NET_RAW
add:
- NET_BIND_SERVICE
# Filesystem layout
filesystem:
readonly:
- /usr
- /lib
writable:
- /home
- /tmp
- /var
# User home is attached storage
attached:
- source: "${USER_HOME}"
target: /home/user
type: bind
# Metadata
metadata:
category: desktop
density: 2000
boot_time: "<600ms"
ode_capable: true
vdi_replacement: true

123
configs/images/dev.yaml Normal file
View File

@@ -0,0 +1,123 @@
# Volt Image: Development Environment
# Target density: 10,000+ per host
# Full development environment with git-attached storage
name: volt/dev
version: "1.0"
description: "Development environment VM"
# Base configuration
kernel: kernel-dev
userland: glibc-standard
# Resource defaults
defaults:
memory: 1G
cpus: 2
network: bridge
# Included packages
packages:
# Core
- glibc
- bash
- coreutils
- util-linux
# Development tools
- git
- git-lfs
- make
- cmake
- gcc
- g++
- gdb
- strace
- ltrace
# Languages
- python3
- python3-pip
- nodejs
- npm
# Optional (installable)
# - go
# - rust
# - java
# Editors
- vim
- nano
# Networking
- curl
- wget
- openssh-client
- openssh-server
# Utilities
- tmux
- htop
- tree
- jq
# Init system
init:
type: busybox
services:
- sshd
# Shell
shell: /bin/bash
# Security policy (more permissive for dev)
security:
landlock_profile: dev
seccomp_profile: dev
capabilities:
drop:
- SYS_ADMIN
add:
- NET_BIND_SERVICE
- SYS_PTRACE # For debugging
# Filesystem layout
filesystem:
readonly:
- /usr
- /lib
writable:
- /home
- /tmp
- /var
- /workspace
# Git-attached workspace
attached:
- source: "${PROJECT_GIT}"
target: /workspace
type: git
# Environment
environment:
TERM: xterm-256color
LANG: en_US.UTF-8
PATH: /usr/local/bin:/usr/bin:/bin
EDITOR: vim
# SSH configuration
ssh:
enabled: true
port: 22
allow_password: false
authorized_keys_path: /home/dev/.ssh/authorized_keys
# Metadata
metadata:
category: development
density: 10000
boot_time: "<400ms"
onboarding_time: "<5 minutes"
ode_capable: false
git_attached: true

66
configs/images/edge.yaml Normal file
View File

@@ -0,0 +1,66 @@
# Volt Image: Edge
# Target density: 100,000+ per host
# Optimized for IoT gateways, edge compute
name: volt/edge
version: "1.0"
description: "Minimal edge computing VM"
# Base configuration
kernel: kernel-minimal
userland: busybox-tiny
# Resource defaults (extremely minimal)
defaults:
memory: 32M
cpus: 1
network: default
# Included packages (absolute minimum)
packages:
- busybox-static
- ca-certificates
# Init system
init:
type: direct
command: /app/edge-agent
# No shell by default (security)
shell: none
# Security policy (maximum lockdown)
security:
landlock_profile: edge
seccomp_profile: edge-minimal
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
# No privilege escalation
no_new_privileges: true
# Read-only root
read_only_root: true
# Filesystem layout
filesystem:
readonly:
- /
writable:
- /tmp
- /var/run
# Network
network:
type: host # Direct host networking for edge
# Metadata
metadata:
category: edge
density: 100000
boot_time: "<100ms"
total_size: "20MB"
ode_capable: false

82
configs/images/k8s-node.yaml Normal file
View File

@@ -0,0 +1,82 @@
# Volt Image: Kubernetes Node
# Target density: 30,000+ per host
# Purpose-built K8s worker node
name: volt/k8s-node
version: "1.0"
description: "Kubernetes worker node VM"
# Base configuration
kernel: kernel-server
userland: musl-minimal
# Resource defaults
defaults:
memory: 256M
cpus: 1
network: bridge
# Included packages
packages:
- busybox
- kubelet
- containerd # Uses Voltainer runtime!
- runc
- cni-plugins
- iptables
- conntrack-tools
# Init system
init:
type: busybox
services:
- containerd
- kubelet
# Shell
shell: /bin/ash
# Security policy
security:
landlock_profile: k8s-node
seccomp_profile: server
capabilities:
drop:
- ALL
add:
- NET_ADMIN
- NET_BIND_SERVICE
- SYS_ADMIN # Required for container runtime
- MKNOD
# Filesystem layout
filesystem:
readonly:
- /usr
- /lib
writable:
- /var/lib/kubelet
- /var/lib/containerd
- /var/log
- /tmp
- /etc/kubernetes
# Kubelet configuration
kubelet:
config_path: /etc/kubernetes/kubelet.conf
kubeconfig_path: /etc/kubernetes/kubelet.kubeconfig
container_runtime: containerd
container_runtime_endpoint: unix:///run/containerd/containerd.sock
# Labels
labels:
voltvisor.io/managed: "true"
voltvisor.io/type: "k8s-node"
# Metadata
metadata:
category: kubernetes
density: 30000
boot_time: "<200ms"
ode_capable: false
voltainer_native: true # Uses Voltainer as container runtime

72
configs/images/server.yaml Normal file
View File

@@ -0,0 +1,72 @@
# Volt Image: Server
# Target density: 50,000+ per host
# Unique size: ~5MB per VM
name: volt/server
version: "1.0"
description: "Minimal server VM for headless workloads"
# Base configuration
kernel: kernel-server
userland: musl-minimal
# Resource defaults
defaults:
memory: 256M
cpus: 1
network: default
# Included packages (shared)
packages:
- busybox
- openssl
- curl
- ca-certificates
- tzdata
# Init system
init:
type: busybox
command: /sbin/init
# Shell
shell: /bin/ash
# Security policy
security:
landlock_profile: server
seccomp_profile: server
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
- SETUID
- SETGID
# Filesystem layout
filesystem:
readonly:
- /usr
- /lib
- /bin
- /sbin
writable:
- /tmp
- /var
- /app
# Health check
healthcheck:
type: tcp
port: 8080
interval: 30s
timeout: 5s
retries: 3
# Metadata
metadata:
category: server
density: 50000
boot_time: "<200ms"
ode_capable: false

116
configs/kernels/kernel-desktop.config Normal file
View File

@@ -0,0 +1,116 @@
# Volt Kernel: Desktop Profile
# Optimized for: Interactive use, display, input, ODE
# Size target: ~60MB
# Boot target: <400ms
CONFIG_LOCALVERSION="-volt-desktop"
CONFIG_DEFAULT_HOSTNAME="volt"
#
# Preemption Model: Full (responsive UI)
#
CONFIG_PREEMPT=y
# CONFIG_PREEMPT_NONE is not set
# CONFIG_PREEMPT_VOLUNTARY is not set
#
# Timer Frequency: High (responsive)
#
CONFIG_HZ_1000=y
CONFIG_NO_HZ_IDLE=y
#
# Include all server configs
#
CONFIG_SMP=y
CONFIG_NR_CPUS=64
CONFIG_NUMA=y
#
# Graphics (for ODE capture)
#
CONFIG_DRM=y
CONFIG_DRM_FBDEV_EMULATION=y
CONFIG_DRM_VIRTIO_GPU=y
CONFIG_DRM_SIMPLEDRM=y
CONFIG_FB=y
CONFIG_FB_SIMPLE=y
CONFIG_FRAMEBUFFER_CONSOLE=y
CONFIG_VGA_CONSOLE=y
#
# Input Devices
#
CONFIG_INPUT=y
CONFIG_INPUT_KEYBOARD=y
CONFIG_INPUT_MOUSE=y
CONFIG_INPUT_EVDEV=y
CONFIG_KEYBOARD_ATKBD=y
CONFIG_MOUSE_PS2=y
CONFIG_INPUT_UINPUT=y
#
# Audio (for ODE)
#
CONFIG_SOUND=y
CONFIG_SND=y
CONFIG_SND_TIMER=y
CONFIG_SND_PCM=y
CONFIG_SND_VIRTIO=y
CONFIG_SND_HDA_INTEL=y
#
# USB (for input forwarding)
#
CONFIG_USB_SUPPORT=y
CONFIG_USB=y
CONFIG_USB_HID=y
CONFIG_USB_HIDDEV=y
#
# Security (same as server)
#
CONFIG_SECURITY=y
CONFIG_SECURITY_LANDLOCK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECURITY_YAMA=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_STACKPROTECTOR_STRONG=y
#
# Cgroups, Namespaces (same as server)
#
CONFIG_CGROUPS=y
CONFIG_MEMCG=y
CONFIG_NAMESPACES=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
#
# Networking
#
CONFIG_NET=y
CONFIG_INET=y
CONFIG_IPV6=y
CONFIG_NETFILTER=y
CONFIG_BRIDGE=y
CONFIG_TUN=y
#
# File Systems
#
CONFIG_EXT4_FS=y
CONFIG_OVERLAY_FS=y
CONFIG_FUSE_FS=y
CONFIG_PROC_FS=y
CONFIG_TMPFS=y
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
#
# Compression
#
CONFIG_KERNEL_GZIP=y

103
configs/kernels/kernel-minimal.config Normal file
View File

@@ -0,0 +1,103 @@
# Volt Kernel: Minimal Profile
# Optimized for: Appliances, edge, maximum density
# Size target: ~15MB
# Boot target: <100ms
CONFIG_LOCALVERSION="-volt-minimal"
CONFIG_DEFAULT_HOSTNAME="volt"
#
# Embedded Optimizations
#
CONFIG_EMBEDDED=y
CONFIG_EXPERT=y
#
# Preemption: None
#
CONFIG_PREEMPT_NONE=y
CONFIG_HZ_100=y
CONFIG_NO_HZ_FULL=y
#
# Size Optimizations
#
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
CONFIG_SLOB=y
# CONFIG_MODULES is not set
# CONFIG_PRINTK is not set
# CONFIG_BUG is not set
# CONFIG_DEBUG_INFO is not set
# CONFIG_KALLSYMS is not set
# CONFIG_FUTEX is not set
# CONFIG_EPOLL is not set
# CONFIG_SIGNALFD is not set
# CONFIG_TIMERFD is not set
# CONFIG_EVENTFD is not set
# CONFIG_SHMEM is not set
# CONFIG_AIO is not set
#
# Processor (minimal)
#
CONFIG_SMP=n
CONFIG_NR_CPUS=1
#
# Networking (minimal)
#
CONFIG_NET=y
CONFIG_PACKET=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IPV6=y
# CONFIG_NETFILTER is not set
# CONFIG_BRIDGE is not set
#
# Security (critical)
#
CONFIG_SECURITY=y
CONFIG_SECURITY_LANDLOCK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_STACKPROTECTOR_STRONG=y
#
# Cgroups (minimal)
#
CONFIG_CGROUPS=y
CONFIG_MEMCG=y
#
# Namespaces (for isolation)
#
CONFIG_NAMESPACES=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
#
# File Systems (minimal)
#
CONFIG_EXT4_FS=y
CONFIG_PROC_FS=y
CONFIG_SYSFS=y
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
#
# DISABLED (not needed)
#
# CONFIG_DRM is not set
# CONFIG_SOUND is not set
# CONFIG_USB is not set
# CONFIG_INPUT is not set
# CONFIG_VT is not set
# CONFIG_HID is not set
#
# Compression (maximum)
#
CONFIG_KERNEL_XZ=y

136
configs/kernels/kernel-server.config Normal file
View File

@@ -0,0 +1,136 @@
# Volt Kernel: Server Profile
# Optimized for: Headless workloads, maximum density
# Size target: ~30MB
# Boot target: <200ms
#
# General Setup
#
CONFIG_LOCALVERSION="-volt-server"
CONFIG_DEFAULT_HOSTNAME="volt"
CONFIG_SYSVIPC=y
CONFIG_POSIX_MQUEUE=y
CONFIG_USELIB=n
CONFIG_AUDIT=y
#
# Preemption Model: None (server workload)
#
CONFIG_PREEMPT_NONE=y
# CONFIG_PREEMPT_VOLUNTARY is not set
# CONFIG_PREEMPT is not set
#
# Timer Frequency: Low (reduce overhead)
#
CONFIG_HZ_100=y
CONFIG_NO_HZ_IDLE=y
CONFIG_NO_HZ_FULL=y
#
# Processor Features
#
CONFIG_SMP=y
CONFIG_NR_CPUS=256
CONFIG_SCHED_SMT=y
CONFIG_NUMA=y
#
# Memory Management
#
CONFIG_TRANSPARENT_HUGEPAGE=y
CONFIG_TRANSPARENT_HUGEPAGE_ALWAYS=y
CONFIG_ZSWAP=y
CONFIG_ZSMALLOC=y
CONFIG_MEMORY_HOTPLUG=y
#
# Networking (Minimal Server)
#
CONFIG_NET=y
CONFIG_PACKET=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IPV6=y
CONFIG_NETFILTER=y
CONFIG_NF_CONNTRACK=y
CONFIG_NETFILTER_XTABLES=y
CONFIG_BRIDGE=y
CONFIG_VLAN_8021Q=y
CONFIG_VETH=y
CONFIG_TUN=y
#
# Security
#
CONFIG_SECURITY=y
CONFIG_SECURITY_NETWORK=y
CONFIG_SECURITY_LANDLOCK=y
CONFIG_SECCOMP=y
CONFIG_SECCOMP_FILTER=y
CONFIG_SECURITY_YAMA=y
CONFIG_HARDENED_USERCOPY=y
CONFIG_FORTIFY_SOURCE=y
CONFIG_STACKPROTECTOR_STRONG=y
CONFIG_RANDOMIZE_BASE=y
CONFIG_RANDOMIZE_MEMORY=y
#
# Cgroups v2
#
CONFIG_CGROUPS=y
CONFIG_CGROUP_SCHED=y
CONFIG_CGROUP_PIDS=y
CONFIG_CGROUP_CPUACCT=y
CONFIG_MEMCG=y
CONFIG_BLK_CGROUP=y
CONFIG_CGROUP_DEVICE=y
CONFIG_CGROUP_FREEZER=y
#
# Namespaces
#
CONFIG_NAMESPACES=y
CONFIG_UTS_NS=y
CONFIG_IPC_NS=y
CONFIG_USER_NS=y
CONFIG_PID_NS=y
CONFIG_NET_NS=y
#
# File Systems (Minimal)
#
CONFIG_EXT4_FS=y
CONFIG_XFS_FS=y
CONFIG_BTRFS_FS=y
CONFIG_OVERLAY_FS=y
CONFIG_FUSE_FS=y
CONFIG_PROC_FS=y
CONFIG_SYSFS=y
CONFIG_TMPFS=y
CONFIG_DEVTMPFS=y
CONFIG_DEVTMPFS_MOUNT=y
#
# DISABLED: Not needed for servers
#
# CONFIG_DRM is not set
# CONFIG_SOUND is not set
# CONFIG_USB is not set
# CONFIG_BLUETOOTH is not set
# CONFIG_WIRELESS is not set
# CONFIG_INPUT_JOYSTICK is not set
# CONFIG_INPUT_TABLET is not set
# CONFIG_INPUT_TOUCHSCREEN is not set
#
# Compression/Size Optimization
#
CONFIG_KERNEL_GZIP=y
CONFIG_CC_OPTIMIZE_FOR_SIZE=y
# CONFIG_DEBUG_INFO is not set
# CONFIG_KALLSYMS_ALL is not set

355
configs/landlock/database.landlock Executable file
View File

@@ -0,0 +1,355 @@
# Landlock Policy Template: Database Server (PostgreSQL, MySQL, MongoDB)
# This policy allows database operations with controlled filesystem access
# Version: 1.0
# Policy metadata
policy:
name: database
version: "1.0"
description: "Landlock policy for database servers (PostgreSQL, MySQL, MongoDB, etc.)"
category: database
author: "ArmoredLinux"
# Filesystem access rules
filesystem:
# Read-only access
read_only:
# Configuration files
- path: /etc/postgresql
recursive: true
description: "PostgreSQL configuration"
- path: /etc/mysql
recursive: true
description: "MySQL configuration"
- path: /etc/mongod.conf
recursive: false
description: "MongoDB configuration"
# System libraries
- path: /usr/lib
recursive: true
description: "System libraries"
- path: /lib
recursive: true
description: "System libraries"
# SSL/TLS certificates
- path: /etc/ssl/certs
recursive: true
description: "SSL certificates"
# Timezone data (important for timestamp operations)
- path: /usr/share/zoneinfo
recursive: true
description: "Timezone information"
# DNS resolution
- path: /etc/hosts
recursive: false
description: "Hosts file"
- path: /etc/resolv.conf
recursive: false
description: "DNS resolver configuration"
# Password files (for authentication)
- path: /etc/passwd
recursive: false
description: "User database"
- path: /etc/group
recursive: false
description: "Group database"
# Read-write access (ephemeral)
read_write_ephemeral:
# Temporary files
- path: /tmp
recursive: true
storage_type: tmpfs
description: "Temporary files (tmpfs)"
# Runtime state
- path: /var/run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
- path: /run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
# PostgreSQL runtime
- path: /var/run/postgresql
recursive: true
storage_type: tmpfs
description: "PostgreSQL socket directory"
# MySQL runtime
- path: /var/run/mysqld
recursive: true
storage_type: tmpfs
description: "MySQL socket directory"
# Read-write access (persistent)
read_write_persistent:
# PostgreSQL data directory
- path: /var/lib/postgresql
recursive: true
storage_type: persistent
description: "PostgreSQL data directory"
# MySQL data directory
- path: /var/lib/mysql
recursive: true
storage_type: persistent
description: "MySQL data directory"
# MongoDB data directory
- path: /var/lib/mongodb
recursive: true
storage_type: persistent
description: "MongoDB data directory"
# Logs
- path: /var/log/postgresql
recursive: true
storage_type: persistent
description: "PostgreSQL logs"
- path: /var/log/mysql
recursive: true
storage_type: persistent
description: "MySQL logs"
- path: /var/log/mongodb
recursive: true
storage_type: persistent
description: "MongoDB logs"
# Backup directory (if using pg_dump, mysqldump, etc.)
- path: /var/backups/database
recursive: true
storage_type: persistent
description: "Database backups"
# Execute access
execute:
# Database server binaries
- path: /usr/lib/postgresql/*/bin/postgres
description: "PostgreSQL server"
- path: /usr/sbin/mysqld
description: "MySQL server"
- path: /usr/bin/mongod
description: "MongoDB server"
# Utility binaries (for maintenance scripts)
- path: /usr/bin/pg_dump
description: "PostgreSQL backup utility"
- path: /usr/bin/mysqldump
description: "MySQL backup utility"
# Network access
network:
# Allow binding to database ports
bind_ports:
- port: 5432
protocol: tcp
description: "PostgreSQL"
- port: 3306
protocol: tcp
description: "MySQL/MariaDB"
- port: 27017
protocol: tcp
description: "MongoDB"
- port: 6379
protocol: tcp
description: "Redis"
# Allow outbound connections
egress:
# DNS lookups
- port: 53
protocol: udp
description: "DNS queries"
# NTP (for time synchronization - critical for databases)
- port: 123
protocol: udp
description: "NTP time sync"
# Database replication (PostgreSQL)
- port: 5432
protocol: tcp
description: "PostgreSQL replication"
# Database replication (MySQL)
- port: 3306
protocol: tcp
description: "MySQL replication"
# Capabilities
# Databases need minimal capabilities
capabilities:
# IPC_LOCK allows locking memory (prevents swapping of sensitive data)
- CAP_IPC_LOCK
# SETUID/SETGID for dropping privileges after initialization
- CAP_SETUID
- CAP_SETGID
# CHOWN for managing file ownership
- CAP_CHOWN
# FOWNER for bypassing permission checks on owned files
- CAP_FOWNER
# DAC_READ_SEARCH for reading files during recovery
# - CAP_DAC_READ_SEARCH # Uncomment only if needed
# System calls allowed
syscalls:
allow:
# File operations
- open
- openat
- read
- write
- close
- stat
- fstat
- lstat
- lseek
- mmap
- munmap
- msync
- madvise
- fsync
- fdatasync
- ftruncate
- fallocate
- flock
- unlink
- rename
# Directory operations
- mkdir
- rmdir
- getdents
- getdents64
# Network operations
- socket
- bind
- listen
- accept
- accept4
- connect
- sendto
- recvfrom
- sendmsg
- recvmsg
- setsockopt
- getsockopt
- shutdown
# Process operations
- fork
- clone
- execve
- wait4
- exit
- exit_group
- kill
- getpid
- getppid
# Memory management
- brk
- mmap
- munmap
- mprotect
- mlock
- munlock
- mlockall
- munlockall
# Time
- gettimeofday
- clock_gettime
- clock_nanosleep
- nanosleep
# Synchronization
- futex
- semget
- semop
- semctl
- shmget
- shmat
- shmdt
- shmctl
# Signals
- rt_sigaction
- rt_sigprocmask
- rt_sigreturn
# Enforcement mode
enforcement:
mode: strict
log_violations: true
require_landlock: true
# Security notes
notes: |
Database containers require significant filesystem access for:
1. Data files (MUST be persistent storage)
2. Transaction logs (MUST be persistent storage)
3. Temporary files for sorts and joins
4. Socket files for IPC
CRITICAL SECURITY CONSIDERATIONS:
1. Data Directory Isolation:
- /var/lib/postgresql, /var/lib/mysql, etc. should be on dedicated volumes
- These directories MUST NOT be shared between containers
- Use encryption at rest for sensitive data
2. Network Isolation:
- Bind only to necessary interfaces (not 0.0.0.0 in production)
- Use firewall rules to restrict access to specific clients
- Consider TLS/SSL for all connections
3. Memory Locking:
- CAP_IPC_LOCK allows locking memory to prevent swapping
- Important for preventing sensitive data from being written to swap
- Ensure adequate memory limits in container manifest
4. Backup Security:
- Backup directory should be read-only from application perspective
- Use separate container/process for backup operations
- Encrypt backups and verify integrity
5. Replication:
- For replicated databases, allow outbound connections to replica nodes
- Use separate network namespace for replication traffic
- Verify TLS certificates on replication connections
PERFORMANCE NOTES:
- Use persistent storage (not overlay) for data directories
- Consider using dedicated block devices for I/O intensive workloads
- Monitor for Landlock overhead (should be minimal for database workloads)
Always test policies thoroughly with realistic workloads before production use.

295
configs/landlock/minimal.landlock Executable file
View File

@@ -0,0 +1,295 @@
# Landlock Policy Template: Minimal (Stateless Services)
# This policy provides the absolute minimum filesystem access
# Ideal for stateless microservices, API endpoints, and compute workloads
# Version: 1.0
# Policy metadata
policy:
name: minimal
version: "1.0"
description: "Minimal Landlock policy for stateless services and microservices"
category: minimal
author: "ArmoredLinux"
# Filesystem access rules
# This is an extremely restrictive policy - only ephemeral storage and read-only system files
filesystem:
# Read-only access (minimal system files only)
read_only:
# Timezone data (if application needs time zone conversion)
- path: /usr/share/zoneinfo
recursive: true
description: "Timezone information"
# DNS resolution
- path: /etc/hosts
recursive: false
description: "Hosts file"
- path: /etc/resolv.conf
recursive: false
description: "DNS resolver configuration"
# SSL/TLS certificates (for HTTPS clients)
- path: /etc/ssl/certs
recursive: true
description: "SSL CA certificates"
# System libraries (dynamically linked binaries only)
# Comment out if using static binaries
- path: /usr/lib
recursive: true
description: "System libraries"
- path: /lib
recursive: true
description: "System libraries"
# Application binary (read-only)
- path: /app
recursive: true
description: "Application code (read-only)"
# Read-write access (ephemeral only - no persistent storage)
read_write_ephemeral:
# Temporary files (tmpfs - memory-backed)
- path: /tmp
recursive: true
storage_type: tmpfs
description: "Temporary files (tmpfs)"
# Runtime state (tmpfs)
- path: /var/run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
- path: /run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
# NO persistent storage allowed
read_write_persistent: []
# Execute access (application binary only)
execute:
# Application binary
- path: /app/service
description: "Application binary"
# Dynamic linker (if using dynamically linked binaries)
# Comment out for static binaries
- path: /lib64/ld-linux-x86-64.so.2
description: "Dynamic linker"
- path: /lib/ld-linux.so.2
description: "Dynamic linker (32-bit)"
# NO shell access (critical for security)
# If shell is needed, this is not a minimal container
# Network access
network:
# Allow binding to application port only
bind_ports:
- port: 8080
protocol: tcp
description: "Application HTTP port"
# Allow outbound connections (minimal)
egress:
# DNS lookups
- port: 53
protocol: udp
description: "DNS queries"
- port: 53
protocol: tcp
description: "DNS queries (TCP)"
# HTTPS (for API calls to external services)
- port: 443
protocol: tcp
description: "HTTPS outbound"
# NTP (optional - for time synchronization)
- port: 123
protocol: udp
description: "NTP time sync"
# Backend services (configure as needed)
# - host: backend.example.com
# port: 8000
# protocol: tcp
# description: "Backend API"
# Capabilities
# Minimal containers need almost NO capabilities
capabilities:
# NET_BIND_SERVICE if binding to port < 1024
# Otherwise, NO capabilities needed
# - CAP_NET_BIND_SERVICE
# For truly minimal containers, use an empty list
[]
# System calls allowed (minimal set)
# This is a very restrictive syscall allowlist
syscalls:
allow:
# File operations (read-only)
- open
- openat
- read
- close
- stat
- fstat
- lseek
- mmap
- munmap
# Network operations
- socket
- bind
- listen
- accept
- accept4
- connect
- sendto
- recvfrom
- sendmsg
- recvmsg
- setsockopt
- getsockopt
- shutdown
# Process operations (minimal)
- clone
- exit
- exit_group
- getpid
- wait4
# Memory management
- brk
- mmap
- munmap
- mprotect
# Time
- gettimeofday
- clock_gettime
- nanosleep
# Signals
- rt_sigaction
- rt_sigprocmask
- rt_sigreturn
# Thread operations (if multi-threaded)
- futex
- set_robust_list
- get_robust_list
# I/O multiplexing
- epoll_create
- epoll_create1
- epoll_ctl
- epoll_wait
- epoll_pwait
- poll
- ppoll
- select
- pselect6
# Write (only to allowed paths - enforced by Landlock)
- write
- writev
# Enforcement mode
enforcement:
mode: strict
log_violations: true
require_landlock: true
# Security notes
notes: |
MINIMAL POLICY PHILOSOPHY:
This policy is designed for containers that:
1. Run a SINGLE stateless service
2. Have NO persistent storage requirements
3. Do NOT need shell access
4. Do NOT need file system writes (except /tmp)
5. Communicate only over network
IDEAL USE CASES:
- Stateless HTTP API servers
- Message queue consumers
- Stream processing workers
- Serverless function handlers
- Load balancer frontends
- Reverse proxies
- Caching layers (using external Redis/Memcached)
SECURITY BENEFITS:
1. Attack Surface Reduction:
- No shell = no RCE via shell injection
- No writable persistent storage = no persistence for malware
- Minimal syscalls = reduced kernel attack surface
- No capabilities = no privilege escalation vectors
2. Container Escape Prevention:
- Landlock prevents filesystem access outside allowed paths
- No exec of arbitrary binaries
- No ptrace, no kernel module loading
- No access to sensitive kernel interfaces
3. Data Exfiltration Prevention:
- No writable persistent storage prevents data staging
- Network policies control egress destinations
- Minimal filesystem access limits data visibility
BUILDING MINIMAL CONTAINERS:
For best results with this policy, build containers using:
- Static binaries (no dynamic linking)
- Multi-stage Docker builds (distroless final stage)
- No package managers in final image
- No shells or debugging tools
- No write access to application code directories
Example Dockerfile for minimal container:
```dockerfile
FROM golang:1.21 AS builder
WORKDIR /build
COPY . .
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o service
FROM scratch
COPY --from=builder /build/service /app/service
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
ENTRYPOINT ["/app/service"]
```
CONFIGURATION NOTES:
- Adjust /app path to match your application directory
- Add specific backend service hosts to egress rules
- Remove system libraries if using static binaries
- Test thoroughly in permissive mode before enforcing
MONITORING:
Monitor for:
- Landlock violations (indicates policy too restrictive or compromise attempt)
- Unexpected network connections
- High memory usage (could indicate memory leak or abuse)
- Process crashes (could indicate syscall denials)
This is the GOLD STANDARD for Voltainer security. All production services
should strive to use this minimal policy or a close variant.

255
configs/landlock/webserver.landlock Executable file
View File

@@ -0,0 +1,255 @@
# Landlock Policy Template: Web Server (nginx, Apache, Caddy)
# This policy allows typical web server operations with minimal filesystem access
# Version: 1.0
# Policy metadata
policy:
name: webserver
version: "1.0"
description: "Landlock policy for web servers (nginx, Apache, Caddy, etc.)"
category: webserver
author: "ArmoredLinux"
# Filesystem access rules
# Landlock uses an allowlist approach - only explicitly listed paths are accessible
filesystem:
# Read-only access to application files
read_only:
# Web content directory
- path: /var/www
recursive: true
description: "Web content root"
# Configuration files (container-specific)
- path: /etc/nginx
recursive: true
description: "Nginx configuration"
- path: /etc/apache2
recursive: true
description: "Apache configuration"
- path: /etc/caddy
recursive: true
description: "Caddy configuration"
# SSL/TLS certificates
- path: /etc/ssl/certs
recursive: true
description: "SSL certificates"
- path: /etc/letsencrypt
recursive: true
description: "Let's Encrypt certificates"
# System libraries and dependencies
- path: /usr/lib
recursive: true
description: "System libraries"
- path: /lib
recursive: true
description: "System libraries"
# Timezone data
- path: /usr/share/zoneinfo
recursive: true
description: "Timezone information"
# DNS resolution
- path: /etc/hosts
recursive: false
description: "Hosts file"
- path: /etc/resolv.conf
recursive: false
description: "DNS resolver configuration"
# Read-write access (ephemeral)
read_write_ephemeral:
# Temporary files
- path: /tmp
recursive: true
storage_type: tmpfs
description: "Temporary files (tmpfs)"
# Runtime state
- path: /var/run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
- path: /run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
# Read-write access (persistent)
read_write_persistent:
# Logs
- path: /var/log/nginx
recursive: true
storage_type: persistent
description: "Nginx logs"
- path: /var/log/apache2
recursive: true
storage_type: persistent
description: "Apache logs"
- path: /var/log/caddy
recursive: true
storage_type: persistent
description: "Caddy logs"
# Cache directories
- path: /var/cache/nginx
recursive: true
storage_type: persistent
description: "Nginx cache"
- path: /var/cache/apache2
recursive: true
storage_type: persistent
description: "Apache cache"
# Upload directories (if needed)
- path: /var/www/uploads
recursive: true
storage_type: persistent
description: "Upload directory"
# Execute access
execute:
# Web server binaries
- path: /usr/sbin/nginx
description: "Nginx binary"
- path: /usr/sbin/apache2
description: "Apache binary"
- path: /usr/bin/caddy
description: "Caddy binary"
# Shell and utilities (only if needed for CGI/PHP-FPM)
# Comment out if not needed for better security
# - path: /bin/sh
# description: "Shell for CGI scripts"
# Network access
# These are enforced by systemd-nspawn and firewall rules, not Landlock
network:
# Allow binding to these ports
bind_ports:
- port: 80
protocol: tcp
description: "HTTP"
- port: 443
protocol: tcp
description: "HTTPS"
- port: 8080
protocol: tcp
description: "Alternative HTTP"
# Allow outbound connections to these destinations
egress:
# DNS lookups
- port: 53
protocol: udp
description: "DNS queries"
# NTP (for time synchronization)
- port: 123
protocol: udp
description: "NTP time sync"
# Backend API servers (configure as needed)
# - host: backend.example.com
# port: 8000
# protocol: tcp
# description: "Backend API"
# Capabilities (Linux capabilities to grant)
# Web servers typically need very few capabilities
capabilities:
# NET_BIND_SERVICE allows binding to ports < 1024
- CAP_NET_BIND_SERVICE
# CHOWN allows changing file ownership (for uploaded files)
# - CAP_CHOWN # Uncomment if needed
# SETUID/SETGID for dropping privileges
# - CAP_SETUID
# - CAP_SETGID
# System calls allowed (this is a Landlock extension)
# For full control, use seccomp profiles instead
syscalls:
# File operations
allow:
- open
- openat
- read
- write
- close
- stat
- fstat
- lseek
- mmap
- munmap
- sendfile
# Network operations
- socket
- bind
- listen
- accept
- accept4
- connect
- sendto
- recvfrom
- setsockopt
- getsockopt
# Process operations
- fork
- clone
- execve
- wait4
- exit
- exit_group
# Time
- gettimeofday
- clock_gettime
# Enforcement mode
enforcement:
# Mode: strict, permissive, or learning
# - strict: Violations are blocked and logged
# - permissive: Violations are logged but allowed
# - learning: Violations are logged for policy development
mode: strict
# Log violations to syslog
log_violations: true
# Fail closed if Landlock is not available
require_landlock: true
# Security notes
notes: |
This policy is designed for typical web servers serving static content
or proxying to backend services. Adjust paths based on your specific
web server and application requirements.
For PHP applications, you may need to add:
- /usr/bin/php or /usr/bin/php-fpm
- /var/lib/php/sessions (for PHP sessions)
For applications with uploads, ensure /var/www/uploads is writable
and consider additional restrictions on executable permissions.
Always test policies in permissive mode first before enforcing in production.

385
configs/seccomp/default-plus-networking.json Executable file
View File

@@ -0,0 +1,385 @@
{
"comment": "Default seccomp profile with networking support - suitable for most containers",
"defaultAction": "SCMP_ACT_ERRNO",
"defaultErrnoRet": 1,
"archMap": [
{
"architecture": "SCMP_ARCH_X86_64",
"subArchitectures": [
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
]
},
{
"architecture": "SCMP_ARCH_AARCH64",
"subArchitectures": [
"SCMP_ARCH_ARM"
]
}
],
"syscalls": [
{
"names": [
"accept",
"accept4",
"access",
"adjtimex",
"alarm",
"bind",
"brk",
"capget",
"capset",
"chdir",
"chmod",
"chown",
"chown32",
"clock_adjtime",
"clock_adjtime64",
"clock_getres",
"clock_getres_time64",
"clock_gettime",
"clock_gettime64",
"clock_nanosleep",
"clock_nanosleep_time64",
"close",
"close_range",
"connect",
"copy_file_range",
"creat",
"dup",
"dup2",
"dup3",
"epoll_create",
"epoll_create1",
"epoll_ctl",
"epoll_ctl_old",
"epoll_pwait",
"epoll_pwait2",
"epoll_wait",
"epoll_wait_old",
"eventfd",
"eventfd2",
"execve",
"execveat",
"exit",
"exit_group",
"faccessat",
"faccessat2",
"fadvise64",
"fadvise64_64",
"fallocate",
"fanotify_mark",
"fchdir",
"fchmod",
"fchmodat",
"fchown",
"fchown32",
"fchownat",
"fcntl",
"fcntl64",
"fdatasync",
"fgetxattr",
"flistxattr",
"flock",
"fork",
"fremovexattr",
"fsetxattr",
"fstat",
"fstat64",
"fstatat64",
"fstatfs",
"fstatfs64",
"fsync",
"ftruncate",
"ftruncate64",
"futex",
"futex_time64",
"futex_waitv",
"getcpu",
"getcwd",
"getdents",
"getdents64",
"getegid",
"getegid32",
"geteuid",
"geteuid32",
"getgid",
"getgid32",
"getgroups",
"getgroups32",
"getitimer",
"getpeername",
"getpgid",
"getpgrp",
"getpid",
"getppid",
"getpriority",
"getrandom",
"getresgid",
"getresgid32",
"getresuid",
"getresuid32",
"getrlimit",
"get_robust_list",
"getrusage",
"getsid",
"getsockname",
"getsockopt",
"get_thread_area",
"gettid",
"gettimeofday",
"getuid",
"getuid32",
"getxattr",
"inotify_add_watch",
"inotify_init",
"inotify_init1",
"inotify_rm_watch",
"io_cancel",
"ioctl",
"io_destroy",
"io_getevents",
"io_pgetevents",
"io_pgetevents_time64",
"ioprio_get",
"ioprio_set",
"io_setup",
"io_submit",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"ipc",
"kill",
"lchown",
"lchown32",
"lgetxattr",
"link",
"linkat",
"listen",
"listxattr",
"llistxattr",
"lremovexattr",
"lseek",
"lsetxattr",
"lstat",
"lstat64",
"madvise",
"membarrier",
"memfd_create",
"mincore",
"mkdir",
"mkdirat",
"mknod",
"mknodat",
"mlock",
"mlock2",
"mlockall",
"mmap",
"mmap2",
"mprotect",
"mq_getsetattr",
"mq_notify",
"mq_open",
"mq_timedreceive",
"mq_timedreceive_time64",
"mq_timedsend",
"mq_timedsend_time64",
"mq_unlink",
"mremap",
"msgctl",
"msgget",
"msgrcv",
"msgsnd",
"msync",
"munlock",
"munlockall",
"munmap",
"nanosleep",
"newfstatat",
"open",
"openat",
"openat2",
"pause",
"pipe",
"pipe2",
"poll",
"ppoll",
"ppoll_time64",
"prctl",
"pread64",
"preadv",
"preadv2",
"prlimit64",
"pselect6",
"pselect6_time64",
"pwrite64",
"pwritev",
"pwritev2",
"read",
"readahead",
"readlink",
"readlinkat",
"readv",
"recv",
"recvfrom",
"recvmmsg",
"recvmmsg_time64",
"recvmsg",
"remap_file_pages",
"removexattr",
"rename",
"renameat",
"renameat2",
"restart_syscall",
"rmdir",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
"rt_sigqueueinfo",
"rt_sigreturn",
"rt_sigsuspend",
"rt_sigtimedwait",
"rt_sigtimedwait_time64",
"rt_tgsigqueueinfo",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
"sched_get_priority_max",
"sched_get_priority_min",
"sched_getscheduler",
"sched_rr_get_interval",
"sched_rr_get_interval_time64",
"sched_setaffinity",
"sched_setattr",
"sched_setparam",
"sched_setscheduler",
"sched_yield",
"seccomp",
"select",
"semctl",
"semget",
"semop",
"semtimedop",
"semtimedop_time64",
"send",
"sendfile",
"sendfile64",
"sendmmsg",
"sendmsg",
"sendto",
"setfsgid",
"setfsgid32",
"setfsuid",
"setfsuid32",
"setgid",
"setgid32",
"setgroups",
"setgroups32",
"setitimer",
"setpgid",
"setpriority",
"setregid",
"setregid32",
"setresgid",
"setresgid32",
"setresuid",
"setresuid32",
"setreuid",
"setreuid32",
"setrlimit",
"set_robust_list",
"setsid",
"setsockopt",
"set_thread_area",
"set_tid_address",
"setuid",
"setuid32",
"setxattr",
"shmat",
"shmctl",
"shmdt",
"shmget",
"shutdown",
"sigaltstack",
"signalfd",
"signalfd4",
"sigprocmask",
"sigreturn",
"socket",
"socketcall",
"socketpair",
"splice",
"stat",
"stat64",
"statfs",
"statfs64",
"statx",
"symlink",
"symlinkat",
"sync",
"sync_file_range",
"syncfs",
"sysinfo",
"tee",
"tgkill",
"time",
"timer_create",
"timer_delete",
"timer_getoverrun",
"timer_gettime",
"timer_gettime64",
"timer_settime",
"timer_settime64",
"timerfd_create",
"timerfd_gettime",
"timerfd_gettime64",
"timerfd_settime",
"timerfd_settime64",
"times",
"tkill",
"truncate",
"truncate64",
"ugetrlimit",
"umask",
"uname",
"unlink",
"unlinkat",
"utime",
"utimensat",
"utimensat_time64",
"utimes",
"vfork",
"vmsplice",
"wait4",
"waitid",
"waitpid",
"write",
"writev"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
"clone"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 2114060288,
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "Allow clone for thread creation only (no CLONE_NEWUSER)"
},
{
"names": [
"clone3"
],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 38,
"comment": "Block clone3 (not widely needed)"
}
]
}

169
configs/seccomp/server.json Normal file
View File

@@ -0,0 +1,169 @@
{
"defaultAction": "SCMP_ACT_ERRNO",
"defaultErrnoRet": 1,
"archMap": [
{
"architecture": "SCMP_ARCH_X86_64",
"subArchitectures": ["SCMP_ARCH_X86", "SCMP_ARCH_X32"]
}
],
"syscalls": [
{
"names": [
"accept", "accept4",
"access", "faccessat", "faccessat2",
"bind",
"brk",
"capget", "capset",
"chdir", "fchdir",
"chmod", "fchmod", "fchmodat",
"chown", "fchown", "fchownat", "lchown",
"clock_getres", "clock_gettime", "clock_nanosleep",
"clone", "clone3",
"close", "close_range",
"connect",
"copy_file_range",
"dup", "dup2", "dup3",
"epoll_create", "epoll_create1", "epoll_ctl", "epoll_pwait", "epoll_wait",
"eventfd", "eventfd2",
"execve", "execveat",
"exit", "exit_group",
"fadvise64",
"fallocate",
"fcntl",
"fdatasync",
"flock",
"fork",
"fstat", "fstatat64", "fstatfs", "fstatfs64",
"fsync",
"ftruncate",
"futex",
"getcpu",
"getcwd",
"getdents", "getdents64",
"getegid", "geteuid", "getgid", "getgroups",
"getitimer",
"getpeername",
"getpgid", "getpgrp", "getpid", "getppid",
"getpriority",
"getrandom",
"getresgid", "getresuid",
"getrlimit",
"getrusage",
"getsid",
"getsockname", "getsockopt",
"gettid",
"gettimeofday",
"getuid",
"inotify_add_watch", "inotify_init", "inotify_init1", "inotify_rm_watch",
"io_cancel", "io_destroy", "io_getevents", "io_setup", "io_submit",
"ioctl",
"kill",
"lgetxattr", "listxattr", "llistxattr",
"listen",
"lseek",
"lstat",
"madvise",
"memfd_create",
"mincore",
"mkdir", "mkdirat",
"mknod", "mknodat",
"mlock", "mlock2", "mlockall",
"mmap",
"mount",
"mprotect",
"mremap",
"msgctl", "msgget", "msgrcv", "msgsnd",
"msync",
"munlock", "munlockall",
"munmap",
"nanosleep",
"newfstatat",
"open", "openat", "openat2",
"pause",
"pipe", "pipe2",
"poll", "ppoll",
"prctl",
"pread64", "preadv", "preadv2",
"prlimit64",
"pselect6",
"pwrite64", "pwritev", "pwritev2",
"read", "readahead", "readlink", "readlinkat", "readv",
"recv", "recvfrom", "recvmmsg", "recvmsg",
"rename", "renameat", "renameat2",
"restart_syscall",
"rmdir",
"rt_sigaction", "rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo",
"rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", "rt_tgsigqueueinfo",
"sched_getaffinity", "sched_getattr", "sched_getparam", "sched_getscheduler",
"sched_get_priority_max", "sched_get_priority_min",
"sched_setaffinity", "sched_setattr", "sched_setparam", "sched_setscheduler",
"sched_yield",
"seccomp",
"select",
"semctl", "semget", "semop", "semtimedop",
"send", "sendfile", "sendmmsg", "sendmsg", "sendto",
"set_robust_list",
"set_tid_address",
"setfsgid", "setfsuid",
"setgid", "setgroups",
"setitimer",
"setpgid", "setpriority",
"setregid", "setresgid", "setresuid", "setreuid",
"setsid",
"setsockopt",
"setuid",
"shmat", "shmctl", "shmdt", "shmget",
"shutdown",
"sigaltstack",
"signalfd", "signalfd4",
"socket", "socketpair",
"splice",
"stat", "statfs", "statx",
"symlink", "symlinkat",
"sync", "syncfs", "sync_file_range",
"sysinfo",
"tee",
"tgkill", "tkill",
"truncate",
"umask",
"umount2",
"uname",
"unlink", "unlinkat",
"utime", "utimensat", "utimes",
"vfork",
"vmsplice",
"wait4", "waitid", "waitpid",
"write", "writev"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": ["personality"],
"action": "SCMP_ACT_ALLOW",
"args": [
{"index": 0, "value": 0, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 8, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 131072, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 131080, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 4294967295, "op": "SCMP_CMP_EQ"}
]
},
{
"names": ["arch_prctl"],
"action": "SCMP_ACT_ALLOW",
"args": [
{"index": 0, "value": 4098, "op": "SCMP_CMP_EQ"}
]
},
{
"names": ["socket"],
"action": "SCMP_ACT_ALLOW",
"args": [
{"index": 0, "value": 1, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 2, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 10, "op": "SCMP_CMP_EQ"}
]
}
]
}

386
configs/seccomp/strict.json Executable file
View File

@@ -0,0 +1,386 @@
{
"comment": "Strict seccomp profile for minimal containers - blocks dangerous syscalls and restricts to essential operations only",
"defaultAction": "SCMP_ACT_ERRNO",
"defaultErrnoRet": 1,
"archMap": [
{
"architecture": "SCMP_ARCH_X86_64",
"subArchitectures": [
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
]
},
{
"architecture": "SCMP_ARCH_AARCH64",
"subArchitectures": [
"SCMP_ARCH_ARM"
]
}
],
"syscalls": [
{
"names": [
"accept",
"accept4",
"access",
"alarm",
"bind",
"brk",
"capget",
"chdir",
"clock_getres",
"clock_getres_time64",
"clock_gettime",
"clock_gettime64",
"clock_nanosleep",
"clock_nanosleep_time64",
"close",
"close_range",
"connect",
"dup",
"dup2",
"dup3",
"epoll_create",
"epoll_create1",
"epoll_ctl",
"epoll_pwait",
"epoll_pwait2",
"epoll_wait",
"eventfd",
"eventfd2",
"execve",
"execveat",
"exit",
"exit_group",
"faccessat",
"faccessat2",
"fadvise64",
"fadvise64_64",
"fcntl",
"fcntl64",
"fdatasync",
"fstat",
"fstat64",
"fstatat64",
"fstatfs",
"fstatfs64",
"fsync",
"futex",
"futex_time64",
"futex_waitv",
"getcpu",
"getcwd",
"getdents",
"getdents64",
"getegid",
"getegid32",
"geteuid",
"geteuid32",
"getgid",
"getgid32",
"getgroups",
"getgroups32",
"getpeername",
"getpgid",
"getpgrp",
"getpid",
"getppid",
"getpriority",
"getrandom",
"getresgid",
"getresgid32",
"getresuid",
"getresuid32",
"getrlimit",
"get_robust_list",
"getrusage",
"getsid",
"getsockname",
"getsockopt",
"get_thread_area",
"gettid",
"gettimeofday",
"getuid",
"getuid32",
"ioctl",
"kill",
"listen",
"lseek",
"lstat",
"lstat64",
"madvise",
"membarrier",
"mincore",
"mmap",
"mmap2",
"mprotect",
"mremap",
"msync",
"munmap",
"nanosleep",
"newfstatat",
"open",
"openat",
"openat2",
"pause",
"pipe",
"pipe2",
"poll",
"ppoll",
"ppoll_time64",
"prctl",
"pread64",
"preadv",
"preadv2",
"prlimit64",
"pselect6",
"pselect6_time64",
"pwrite64",
"pwritev",
"pwritev2",
"read",
"readlink",
"readlinkat",
"readv",
"recv",
"recvfrom",
"recvmmsg",
"recvmmsg_time64",
"recvmsg",
"restart_syscall",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
"rt_sigqueueinfo",
"rt_sigreturn",
"rt_sigsuspend",
"rt_sigtimedwait",
"rt_sigtimedwait_time64",
"rt_tgsigqueueinfo",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
"sched_get_priority_max",
"sched_get_priority_min",
"sched_getscheduler",
"sched_rr_get_interval",
"sched_rr_get_interval_time64",
"sched_setaffinity",
"sched_setattr",
"sched_setparam",
"sched_setscheduler",
"sched_yield",
"seccomp",
"select",
"send",
"sendfile",
"sendfile64",
"sendmmsg",
"sendmsg",
"sendto",
"setfsgid",
"setfsgid32",
"setfsuid",
"setfsuid32",
"setgid",
"setgid32",
"setgroups",
"setgroups32",
"setpgid",
"setpriority",
"setregid",
"setregid32",
"setresgid",
"setresgid32",
"setresuid",
"setresuid32",
"setreuid",
"setreuid32",
"setrlimit",
"set_robust_list",
"setsid",
"setsockopt",
"set_thread_area",
"set_tid_address",
"setuid",
"setuid32",
"shutdown",
"sigaltstack",
"signalfd",
"signalfd4",
"sigprocmask",
"sigreturn",
"socket",
"socketcall",
"socketpair",
"stat",
"stat64",
"statfs",
"statfs64",
"statx",
"sysinfo",
"tgkill",
"time",
"timer_create",
"timer_delete",
"timer_getoverrun",
"timer_gettime",
"timer_gettime64",
"timer_settime",
"timer_settime64",
"timerfd_create",
"timerfd_gettime",
"timerfd_gettime64",
"timerfd_settime",
"timerfd_settime64",
"times",
"tkill",
"ugetrlimit",
"umask",
"uname",
"wait4",
"waitid",
"waitpid",
"write",
"writev"
],
"action": "SCMP_ACT_ALLOW",
"comment": "Essential syscalls for stateless services"
},
{
"names": [
"clone"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 2114060288,
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "Allow clone for thread creation only (no CLONE_NEWUSER)"
}
],
"blockedSyscalls": {
"comment": "Explicitly blocked dangerous syscalls",
"syscalls": [
{
"names": [
"acct",
"add_key",
"bpf",
"clock_adjtime",
"clock_adjtime64",
"clock_settime",
"clock_settime64",
"clone3",
"create_module",
"delete_module",
"finit_module",
"get_kernel_syms",
"get_mempolicy",
"init_module",
"ioperm",
"iopl",
"kcmp",
"kexec_file_load",
"kexec_load",
"keyctl",
"lookup_dcookie",
"mbind",
"migrate_pages",
"modify_ldt",
"mount",
"move_pages",
"name_to_handle_at",
"nfsservctl",
"open_by_handle_at",
"perf_event_open",
"personality",
"pivot_root",
"process_vm_readv",
"process_vm_writev",
"ptrace",
"query_module",
"quotactl",
"quotactl_fd",
"reboot",
"request_key",
"set_mempolicy",
"setdomainname",
"sethostname",
"settimeofday",
"setns",
"stime",
"swapoff",
"swapon",
"sysfs",
"syslog",
"_sysctl",
"umount",
"umount2",
"unshare",
"uselib",
"userfaultfd",
"ustat",
"vm86",
"vm86old"
],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 1,
"comment": "Block dangerous administrative and privileged syscalls"
}
]
},
"notes": {
"description": "Strict seccomp profile for minimal, stateless containers",
"use_cases": [
"Stateless API servers",
"Message queue consumers",
"Stream processing workers",
"Serverless functions",
"Minimal microservices"
],
"blocked_operations": [
"Kernel module loading",
"System time modification",
"Host mounting/unmounting",
"Process tracing (ptrace)",
"Namespace manipulation",
"BPF operations",
"Key management",
"Performance monitoring",
"Memory policy",
"Reboot/shutdown"
],
"allowed_operations": [
"File I/O (limited by Landlock)",
"Network operations",
"Thread management",
"Time reading",
"Signal handling",
"Memory management",
"Process management (limited)"
],
"security_notes": [
"This profile blocks all administrative syscalls",
"No kernel modification allowed",
"No debugging/tracing capabilities",
"No namespace creation (except thread cloning)",
"No module loading or unloading",
"No time manipulation",
"No host filesystem mounting",
"Combine with Landlock for filesystem restrictions",
"Use with minimal capabilities (ideally none)"
],
"testing": [
"Test thoroughly with your application before production",
"Monitor for SCMP_ACT_ERRNO returns (syscall denials)",
"Check logs for unexpected syscall usage",
"Use strace during testing to identify required syscalls",
"Example: strace -c -f -S name your-app 2>&1 | tail -n +3 | head -n -2 | awk '{print $NF}' | sort -u"
]
}
}

226
configs/sysctl/90-armored-hardening.conf Executable file
View File

@@ -0,0 +1,226 @@
# Armored Linux - Kernel Hardening Configuration
# Applied via sysctl at boot and during provisioning
# These settings provide defense-in-depth for container isolation
# ===================================
# Kernel Hardening
# ===================================
# Restrict access to kernel logs (prevent information leakage)
kernel.dmesg_restrict = 1
# Restrict access to kernel pointers in /proc
kernel.kptr_restrict = 2
# Disable kernel profiling by unprivileged users
kernel.perf_event_paranoid = 3
# Restrict loading of TTY line disciplines
dev.tty.ldisc_autoload = 0
# Enable kernel address space layout randomization
kernel.randomize_va_space = 2
# Restrict ptrace to parent-child relationships only
kernel.yama.ptrace_scope = 1
# Disable core dumps for setuid programs
fs.suid_dumpable = 0
# Enable ExecShield (if available)
kernel.exec-shield = 1
# Restrict BPF (Berkeley Packet Filter) to privileged users only
kernel.unprivileged_bpf_disabled = 1
# Harden BPF JIT compiler against attacks
net.core.bpf_jit_harden = 2
# Restrict kernel module loading (if using signed modules)
# kernel.modules_disabled = 1 # Uncomment to prevent module loading after boot
# Restrict userfaultfd to privileged processes (prevents some exploits)
vm.unprivileged_userfaultfd = 0
# ===================================
# Memory Management
# ===================================
# Restrict mmap to reasonable ranges
vm.mmap_min_addr = 65536
# Overcommit memory handling (be more conservative)
vm.overcommit_memory = 1
vm.overcommit_ratio = 50
# Panic on out-of-memory instead of killing random processes
vm.panic_on_oom = 0
# ===================================
# Network Security
# ===================================
# Disable IPv4 forwarding (unless this is a router)
net.ipv4.ip_forward = 0
# Disable IPv6 forwarding (unless this is a router)
net.ipv6.conf.all.forwarding = 0
# Enable TCP SYN cookies (DDoS protection)
net.ipv4.tcp_syncookies = 1
# Disable ICMP redirect acceptance
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv6.conf.default.accept_redirects = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Enable reverse path filtering (prevent IP spoofing)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# Ignore ICMP echo requests (ping)
net.ipv4.icmp_echo_ignore_all = 0
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable TCP timestamps for better performance
net.ipv4.tcp_timestamps = 1
# ===================================
# Container Isolation (Voltainer Security)
# ===================================
# These settings enhance security for systemd-nspawn containers
# Voltainer uses systemd-nspawn as the container runtime, which benefits from
# strict namespace isolation and seccomp filtering
# Restrict access to /proc/<pid>/net for containers
kernel.perf_event_paranoid = 3
# Limit number of user namespaces (0 = unlimited, use with caution)
# user.max_user_namespaces = 10000
# Restrict unprivileged user namespaces (some distros require this for containers)
# Note: systemd-nspawn typically runs as root, so this affects other containerization
# kernel.unprivileged_userns_clone = 1
# Namespace restrictions for container isolation
# These help prevent container escape and privilege escalation
# kernel.yama.ptrace_scope already set above (value 1)
# Enable strict seccomp filtering support
# Voltainer applies seccomp filters defined in container manifests
# No additional sysctl needed - enabled by kernel config
# ===================================
# File System Security
# ===================================
# Protected hardlinks (prevent hardlink exploits)
fs.protected_hardlinks = 1
# Protected symlinks (prevent symlink exploits)
fs.protected_symlinks = 1
# Protected fifos
fs.protected_fifos = 2
# Protected regular files
fs.protected_regular = 2
# ===================================
# IPC Restrictions
# ===================================
# Maximum number of message queues
kernel.msgmnb = 65536
kernel.msgmax = 65536
# Maximum shared memory segment size
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
# ===================================
# Security Modules
# ===================================
# AppArmor/SELinux enforcement (if using)
# These are typically managed by the security module itself
# ===================================
# System Limits
# ===================================
# Maximum number of open files
fs.file-max = 2097152
# Maximum number of inotify watches (for monitoring)
fs.inotify.max_user_watches = 524288
fs.inotify.max_user_instances = 512
# Maximum number of PIDs
kernel.pid_max = 4194304
# ===================================
# Logging and Auditing
# ===================================
# Keep kernel logs for debugging (but restrict access)
kernel.printk = 3 3 3 3
# ===================================
# Performance Tuning (Container-Aware)
# ===================================
# Connection tracking for containers
net.netfilter.nf_conntrack_max = 262144
# TCP keepalive settings
net.ipv4.tcp_keepalive_time = 600
net.ipv4.tcp_keepalive_intvl = 60
net.ipv4.tcp_keepalive_probes = 3
# TCP buffer sizes (optimized for container networking)
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# Maximum connection backlog
net.core.somaxconn = 32768
net.core.netdev_max_backlog = 5000
# ===================================
# Panic Behavior
# ===================================
# Reboot after kernel panic (10 seconds)
kernel.panic = 10
kernel.panic_on_oops = 1
# ===================================
# Notes
# ===================================
# This configuration provides a secure baseline for Armored Linux nodes.
# Some settings may need adjustment based on:
# - Container workload requirements
# - Network topology
# - Hardware capabilities
# - Specific security compliance requirements
#
# DevNodes may override some settings via detect-node-type.sh for debugging.

73
configs/systemd/volt-vm@.service Normal file
View File

@@ -0,0 +1,73 @@
# Volt VM SystemD Unit Template
# Usage: systemctl start volt-vm@myvm.service
[Unit]
Description=Volt VM %i
Documentation=https://voltvisor.io
After=network.target volt-runtime.service
Requires=volt-runtime.service
Wants=volt-network.service
[Service]
Type=notify
NotifyAccess=all
# VM Runtime
ExecStartPre=/usr/bin/volt-runtime prepare %i
ExecStart=/usr/bin/volt-runtime run %i
ExecStop=/usr/bin/volt-runtime stop %i
ExecStopPost=/usr/bin/volt-runtime cleanup %i
# Restart policy
Restart=on-failure
RestartSec=5s
TimeoutStartSec=30s
TimeoutStopSec=30s
# Resource limits via cgroups v2
# These are defaults, overridden per-VM in drop-in files
MemoryMax=512M
MemoryHigh=400M
CPUQuota=100%
TasksMax=4096
IOWeight=100
# Security hardening
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=yes
PrivateTmp=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes
ProtectControlGroups=yes
ProtectHostname=yes
ProtectClock=yes
RestrictNamespaces=no
RestrictRealtime=yes
RestrictSUIDSGID=yes
LockPersonality=yes
MemoryDenyWriteExecute=no
RemoveIPC=yes
# Capabilities
CapabilityBoundingSet=CAP_NET_ADMIN CAP_NET_BIND_SERVICE CAP_SYS_ADMIN CAP_SETUID CAP_SETGID CAP_MKNOD
AmbientCapabilities=
# Namespaces (used for VM isolation)
PrivateUsers=yes
PrivateNetwork=no
PrivateMounts=yes
# Filesystem restrictions
ReadWritePaths=/var/lib/volt/vms/%i
ReadOnlyPaths=/var/lib/volt/kernels /var/lib/volt/images
InaccessiblePaths=/home /root
# Logging
StandardOutput=journal
StandardError=journal
SyslogIdentifier=volt-vm-%i
[Install]
WantedBy=multi-user.target