ArmoredGate/volt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Volt CLI: source-available under AGPSL v5.0

Browse Source 
Complete infrastructure platform CLI:
- Container runtime (systemd-nspawn)
- VoltVisor VMs (Neutron Stardust / QEMU)
- Stellarium CAS (content-addressed storage)
- ORAS Registry
- GitOps integration
- Landlock LSM security
- Compose orchestration
- Mesh networking

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0
This commit is contained in:
Karl Clinger
2026-03-21 00:30:23 -05:00
commit 0ebe75b2ca
155 changed files with 63317 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

355
configs/landlock/database.landlock Executable file
View File

@@ -0,0 +1,355 @@
# Landlock Policy Template: Database Server (PostgreSQL, MySQL, MongoDB)
# This policy allows database operations with controlled filesystem access
# Version: 1.0
# Policy metadata
policy:
name: database
version: "1.0"
description: "Landlock policy for database servers (PostgreSQL, MySQL, MongoDB, etc.)"
category: database
author: "ArmoredLinux"
# Filesystem access rules
filesystem:
# Read-only access
read_only:
# Configuration files
- path: /etc/postgresql
recursive: true
description: "PostgreSQL configuration"
- path: /etc/mysql
recursive: true
description: "MySQL configuration"
- path: /etc/mongod.conf
recursive: false
description: "MongoDB configuration"
# System libraries
- path: /usr/lib
recursive: true
description: "System libraries"
- path: /lib
recursive: true
description: "System libraries"
# SSL/TLS certificates
- path: /etc/ssl/certs
recursive: true
description: "SSL certificates"
# Timezone data (important for timestamp operations)
- path: /usr/share/zoneinfo
recursive: true
description: "Timezone information"
# DNS resolution
- path: /etc/hosts
recursive: false
description: "Hosts file"
- path: /etc/resolv.conf
recursive: false
description: "DNS resolver configuration"
# Password files (for authentication)
- path: /etc/passwd
recursive: false
description: "User database"
- path: /etc/group
recursive: false
description: "Group database"
# Read-write access (ephemeral)
read_write_ephemeral:
# Temporary files
- path: /tmp
recursive: true
storage_type: tmpfs
description: "Temporary files (tmpfs)"
# Runtime state
- path: /var/run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
- path: /run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
# PostgreSQL runtime
- path: /var/run/postgresql
recursive: true
storage_type: tmpfs
description: "PostgreSQL socket directory"
# MySQL runtime
- path: /var/run/mysqld
recursive: true
storage_type: tmpfs
description: "MySQL socket directory"
# Read-write access (persistent)
read_write_persistent:
# PostgreSQL data directory
- path: /var/lib/postgresql
recursive: true
storage_type: persistent
description: "PostgreSQL data directory"
# MySQL data directory
- path: /var/lib/mysql
recursive: true
storage_type: persistent
description: "MySQL data directory"
# MongoDB data directory
- path: /var/lib/mongodb
recursive: true
storage_type: persistent
description: "MongoDB data directory"
# Logs
- path: /var/log/postgresql
recursive: true
storage_type: persistent
description: "PostgreSQL logs"
- path: /var/log/mysql
recursive: true
storage_type: persistent
description: "MySQL logs"
- path: /var/log/mongodb
recursive: true
storage_type: persistent
description: "MongoDB logs"
# Backup directory (if using pg_dump, mysqldump, etc.)
- path: /var/backups/database
recursive: true
storage_type: persistent
description: "Database backups"
# Execute access
execute:
# Database server binaries
- path: /usr/lib/postgresql/*/bin/postgres
description: "PostgreSQL server"
- path: /usr/sbin/mysqld
description: "MySQL server"
- path: /usr/bin/mongod
description: "MongoDB server"
# Utility binaries (for maintenance scripts)
- path: /usr/bin/pg_dump
description: "PostgreSQL backup utility"
- path: /usr/bin/mysqldump
description: "MySQL backup utility"
# Network access
network:
# Allow binding to database ports
bind_ports:
- port: 5432
protocol: tcp
description: "PostgreSQL"
- port: 3306
protocol: tcp
description: "MySQL/MariaDB"
- port: 27017
protocol: tcp
description: "MongoDB"
- port: 6379
protocol: tcp
description: "Redis"
# Allow outbound connections
egress:
# DNS lookups
- port: 53
protocol: udp
description: "DNS queries"
# NTP (for time synchronization - critical for databases)
- port: 123
protocol: udp
description: "NTP time sync"
# Database replication (PostgreSQL)
- port: 5432
protocol: tcp
description: "PostgreSQL replication"
# Database replication (MySQL)
- port: 3306
protocol: tcp
description: "MySQL replication"
# Capabilities
# Databases need minimal capabilities
capabilities:
# IPC_LOCK allows locking memory (prevents swapping of sensitive data)
- CAP_IPC_LOCK
# SETUID/SETGID for dropping privileges after initialization
- CAP_SETUID
- CAP_SETGID
# CHOWN for managing file ownership
- CAP_CHOWN
# FOWNER for bypassing permission checks on owned files
- CAP_FOWNER
# DAC_READ_SEARCH for reading files during recovery
# - CAP_DAC_READ_SEARCH # Uncomment only if needed
# System calls allowed
syscalls:
allow:
# File operations
- open
- openat
- read
- write
- close
- stat
- fstat
- lstat
- lseek
- mmap
- munmap
- msync
- madvise
- fsync
- fdatasync
- ftruncate
- fallocate
- flock
- unlink
- rename
# Directory operations
- mkdir
- rmdir
- getdents
- getdents64
# Network operations
- socket
- bind
- listen
- accept
- accept4
- connect
- sendto
- recvfrom
- sendmsg
- recvmsg
- setsockopt
- getsockopt
- shutdown
# Process operations
- fork
- clone
- execve
- wait4
- exit
- exit_group
- kill
- getpid
- getppid
# Memory management
- brk
- mmap
- munmap
- mprotect
- mlock
- munlock
- mlockall
- munlockall
# Time
- gettimeofday
- clock_gettime
- clock_nanosleep
- nanosleep
# Synchronization
- futex
- semget
- semop
- semctl
- shmget
- shmat
- shmdt
- shmctl
# Signals
- rt_sigaction
- rt_sigprocmask
- rt_sigreturn
# Enforcement mode
enforcement:
mode: strict
log_violations: true
require_landlock: true
# Security notes
notes: |
Database containers require significant filesystem access for:
1. Data files (MUST be persistent storage)
2. Transaction logs (MUST be persistent storage)
3. Temporary files for sorts and joins
4. Socket files for IPC
CRITICAL SECURITY CONSIDERATIONS:
1. Data Directory Isolation:
- /var/lib/postgresql, /var/lib/mysql, etc. should be on dedicated volumes
- These directories MUST NOT be shared between containers
- Use encryption at rest for sensitive data
2. Network Isolation:
- Bind only to necessary interfaces (not 0.0.0.0 in production)
- Use firewall rules to restrict access to specific clients
- Consider TLS/SSL for all connections
3. Memory Locking:
- CAP_IPC_LOCK allows locking memory to prevent swapping
- Important for preventing sensitive data from being written to swap
- Ensure adequate memory limits in container manifest
4. Backup Security:
- Backup directory should be read-only from application perspective
- Use separate container/process for backup operations
- Encrypt backups and verify integrity
5. Replication:
- For replicated databases, allow outbound connections to replica nodes
- Use separate network namespace for replication traffic
- Verify TLS certificates on replication connections
PERFORMANCE NOTES:
- Use persistent storage (not overlay) for data directories
- Consider using dedicated block devices for I/O intensive workloads
- Monitor for Landlock overhead (should be minimal for database workloads)
Always test policies thoroughly with realistic workloads before production use.

295
configs/landlock/minimal.landlock Executable file
View File

@@ -0,0 +1,295 @@
# Landlock Policy Template: Minimal (Stateless Services)
# This policy provides the absolute minimum filesystem access
# Ideal for stateless microservices, API endpoints, and compute workloads
# Version: 1.0
# Policy metadata
policy:
name: minimal
version: "1.0"
description: "Minimal Landlock policy for stateless services and microservices"
category: minimal
author: "ArmoredLinux"
# Filesystem access rules
# This is an extremely restrictive policy - only ephemeral storage and read-only system files
filesystem:
# Read-only access (minimal system files only)
read_only:
# Timezone data (if application needs time zone conversion)
- path: /usr/share/zoneinfo
recursive: true
description: "Timezone information"
# DNS resolution
- path: /etc/hosts
recursive: false
description: "Hosts file"
- path: /etc/resolv.conf
recursive: false
description: "DNS resolver configuration"
# SSL/TLS certificates (for HTTPS clients)
- path: /etc/ssl/certs
recursive: true
description: "SSL CA certificates"
# System libraries (dynamically linked binaries only)
# Comment out if using static binaries
- path: /usr/lib
recursive: true
description: "System libraries"
- path: /lib
recursive: true
description: "System libraries"
# Application binary (read-only)
- path: /app
recursive: true
description: "Application code (read-only)"
# Read-write access (ephemeral only - no persistent storage)
read_write_ephemeral:
# Temporary files (tmpfs - memory-backed)
- path: /tmp
recursive: true
storage_type: tmpfs
description: "Temporary files (tmpfs)"
# Runtime state (tmpfs)
- path: /var/run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
- path: /run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
# NO persistent storage allowed
read_write_persistent: []
# Execute access (application binary only)
execute:
# Application binary
- path: /app/service
description: "Application binary"
# Dynamic linker (if using dynamically linked binaries)
# Comment out for static binaries
- path: /lib64/ld-linux-x86-64.so.2
description: "Dynamic linker"
- path: /lib/ld-linux.so.2
description: "Dynamic linker (32-bit)"
# NO shell access (critical for security)
# If shell is needed, this is not a minimal container
# Network access
network:
# Allow binding to application port only
bind_ports:
- port: 8080
protocol: tcp
description: "Application HTTP port"
# Allow outbound connections (minimal)
egress:
# DNS lookups
- port: 53
protocol: udp
description: "DNS queries"
- port: 53
protocol: tcp
description: "DNS queries (TCP)"
# HTTPS (for API calls to external services)
- port: 443
protocol: tcp
description: "HTTPS outbound"
# NTP (optional - for time synchronization)
- port: 123
protocol: udp
description: "NTP time sync"
# Backend services (configure as needed)
# - host: backend.example.com
# port: 8000
# protocol: tcp
# description: "Backend API"
# Capabilities
# Minimal containers need almost NO capabilities
capabilities:
# NET_BIND_SERVICE if binding to port < 1024
# Otherwise, NO capabilities needed
# - CAP_NET_BIND_SERVICE
# For truly minimal containers, use an empty list
[]
# System calls allowed (minimal set)
# This is a very restrictive syscall allowlist
syscalls:
allow:
# File operations (read-only)
- open
- openat
- read
- close
- stat
- fstat
- lseek
- mmap
- munmap
# Network operations
- socket
- bind
- listen
- accept
- accept4
- connect
- sendto
- recvfrom
- sendmsg
- recvmsg
- setsockopt
- getsockopt
- shutdown
# Process operations (minimal)
- clone
- exit
- exit_group
- getpid
- wait4
# Memory management
- brk
- mmap
- munmap
- mprotect
# Time
- gettimeofday
- clock_gettime
- nanosleep
# Signals
- rt_sigaction
- rt_sigprocmask
- rt_sigreturn
# Thread operations (if multi-threaded)
- futex
- set_robust_list
- get_robust_list
# I/O multiplexing
- epoll_create
- epoll_create1
- epoll_ctl
- epoll_wait
- epoll_pwait
- poll
- ppoll
- select
- pselect6
# Write (only to allowed paths - enforced by Landlock)
- write
- writev
# Enforcement mode
enforcement:
mode: strict
log_violations: true
require_landlock: true
# Security notes
notes: |
MINIMAL POLICY PHILOSOPHY:
This policy is designed for containers that:
1. Run a SINGLE stateless service
2. Have NO persistent storage requirements
3. Do NOT need shell access
4. Do NOT need file system writes (except /tmp)
5. Communicate only over network
IDEAL USE CASES:
- Stateless HTTP API servers
- Message queue consumers
- Stream processing workers
- Serverless function handlers
- Load balancer frontends
- Reverse proxies
- Caching layers (using external Redis/Memcached)
SECURITY BENEFITS:
1. Attack Surface Reduction:
- No shell = no RCE via shell injection
- No writable persistent storage = no persistence for malware
- Minimal syscalls = reduced kernel attack surface
- No capabilities = no privilege escalation vectors
2. Container Escape Prevention:
- Landlock prevents filesystem access outside allowed paths
- No exec of arbitrary binaries
- No ptrace, no kernel module loading
- No access to sensitive kernel interfaces
3. Data Exfiltration Prevention:
- No writable persistent storage prevents data staging
- Network policies control egress destinations
- Minimal filesystem access limits data visibility
BUILDING MINIMAL CONTAINERS:
For best results with this policy, build containers using:
- Static binaries (no dynamic linking)
- Multi-stage Docker builds (distroless final stage)
- No package managers in final image
- No shells or debugging tools
- No write access to application code directories
Example Dockerfile for minimal container:
```dockerfile
FROM golang:1.21 AS builder
WORKDIR /build
COPY . .
RUN CGO_ENABLED=0 go build -ldflags="-s -w" -o service
FROM scratch
COPY --from=builder /build/service /app/service
COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
ENTRYPOINT ["/app/service"]
```
CONFIGURATION NOTES:
- Adjust /app path to match your application directory
- Add specific backend service hosts to egress rules
- Remove system libraries if using static binaries
- Test thoroughly in permissive mode before enforcing
MONITORING:
Monitor for:
- Landlock violations (indicates policy too restrictive or compromise attempt)
- Unexpected network connections
- High memory usage (could indicate memory leak or abuse)
- Process crashes (could indicate syscall denials)
This is the GOLD STANDARD for Voltainer security. All production services
should strive to use this minimal policy or a close variant.

255
configs/landlock/webserver.landlock Executable file
View File

@@ -0,0 +1,255 @@
# Landlock Policy Template: Web Server (nginx, Apache, Caddy)
# This policy allows typical web server operations with minimal filesystem access
# Version: 1.0
# Policy metadata
policy:
name: webserver
version: "1.0"
description: "Landlock policy for web servers (nginx, Apache, Caddy, etc.)"
category: webserver
author: "ArmoredLinux"
# Filesystem access rules
# Landlock uses an allowlist approach - only explicitly listed paths are accessible
filesystem:
# Read-only access to application files
read_only:
# Web content directory
- path: /var/www
recursive: true
description: "Web content root"
# Configuration files (container-specific)
- path: /etc/nginx
recursive: true
description: "Nginx configuration"
- path: /etc/apache2
recursive: true
description: "Apache configuration"
- path: /etc/caddy
recursive: true
description: "Caddy configuration"
# SSL/TLS certificates
- path: /etc/ssl/certs
recursive: true
description: "SSL certificates"
- path: /etc/letsencrypt
recursive: true
description: "Let's Encrypt certificates"
# System libraries and dependencies
- path: /usr/lib
recursive: true
description: "System libraries"
- path: /lib
recursive: true
description: "System libraries"
# Timezone data
- path: /usr/share/zoneinfo
recursive: true
description: "Timezone information"
# DNS resolution
- path: /etc/hosts
recursive: false
description: "Hosts file"
- path: /etc/resolv.conf
recursive: false
description: "DNS resolver configuration"
# Read-write access (ephemeral)
read_write_ephemeral:
# Temporary files
- path: /tmp
recursive: true
storage_type: tmpfs
description: "Temporary files (tmpfs)"
# Runtime state
- path: /var/run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
- path: /run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
# Read-write access (persistent)
read_write_persistent:
# Logs
- path: /var/log/nginx
recursive: true
storage_type: persistent
description: "Nginx logs"
- path: /var/log/apache2
recursive: true
storage_type: persistent
description: "Apache logs"
- path: /var/log/caddy
recursive: true
storage_type: persistent
description: "Caddy logs"
# Cache directories
- path: /var/cache/nginx
recursive: true
storage_type: persistent
description: "Nginx cache"
- path: /var/cache/apache2
recursive: true
storage_type: persistent
description: "Apache cache"
# Upload directories (if needed)
- path: /var/www/uploads
recursive: true
storage_type: persistent
description: "Upload directory"
# Execute access
execute:
# Web server binaries
- path: /usr/sbin/nginx
description: "Nginx binary"
- path: /usr/sbin/apache2
description: "Apache binary"
- path: /usr/bin/caddy
description: "Caddy binary"
# Shell and utilities (only if needed for CGI/PHP-FPM)
# Comment out if not needed for better security
# - path: /bin/sh
# description: "Shell for CGI scripts"
# Network access
# These are enforced by systemd-nspawn and firewall rules, not Landlock
network:
# Allow binding to these ports
bind_ports:
- port: 80
protocol: tcp
description: "HTTP"
- port: 443
protocol: tcp
description: "HTTPS"
- port: 8080
protocol: tcp
description: "Alternative HTTP"
# Allow outbound connections to these destinations
egress:
# DNS lookups
- port: 53
protocol: udp
description: "DNS queries"
# NTP (for time synchronization)
- port: 123
protocol: udp
description: "NTP time sync"
# Backend API servers (configure as needed)
# - host: backend.example.com
# port: 8000
# protocol: tcp
# description: "Backend API"
# Capabilities (Linux capabilities to grant)
# Web servers typically need very few capabilities
capabilities:
# NET_BIND_SERVICE allows binding to ports < 1024
- CAP_NET_BIND_SERVICE
# CHOWN allows changing file ownership (for uploaded files)
# - CAP_CHOWN # Uncomment if needed
# SETUID/SETGID for dropping privileges
# - CAP_SETUID
# - CAP_SETGID
# System calls allowed (this is a Landlock extension)
# For full control, use seccomp profiles instead
syscalls:
# File operations
allow:
- open
- openat
- read
- write
- close
- stat
- fstat
- lseek
- mmap
- munmap
- sendfile
# Network operations
- socket
- bind
- listen
- accept
- accept4
- connect
- sendto
- recvfrom
- setsockopt
- getsockopt
# Process operations
- fork
- clone
- execve
- wait4
- exit
- exit_group
# Time
- gettimeofday
- clock_gettime
# Enforcement mode
enforcement:
# Mode: strict, permissive, or learning
# - strict: Violations are blocked and logged
# - permissive: Violations are logged but allowed
# - learning: Violations are logged for policy development
mode: strict
# Log violations to syslog
log_violations: true
# Fail closed if Landlock is not available
require_landlock: true
# Security notes
notes: |
This policy is designed for typical web servers serving static content
or proxying to backend services. Adjust paths based on your specific
web server and application requirements.
For PHP applications, you may need to add:
- /usr/bin/php or /usr/bin/php-fpm
- /var/lib/php/sessions (for PHP sessions)
For applications with uploads, ensure /var/www/uploads is writable
and consider additional restrictions on executable permissions.
Always test policies in permissive mode first before enforcing in production.