ArmoredGate/volt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Volt CLI: source-available under AGPSL v5.0

Browse Source 
Complete infrastructure platform CLI:
- Container runtime (systemd-nspawn)
- VoltVisor VMs (Neutron Stardust / QEMU)
- Stellarium CAS (content-addressed storage)
- ORAS Registry
- GitOps integration
- Landlock LSM security
- Compose orchestration
- Mesh networking

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0
This commit is contained in:
Karl Clinger
2026-03-21 00:30:23 -05:00
commit 0ebe75b2ca
155 changed files with 63317 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

385
configs/seccomp/default-plus-networking.json Executable file
View File

@@ -0,0 +1,385 @@
{
"comment": "Default seccomp profile with networking support - suitable for most containers",
"defaultAction": "SCMP_ACT_ERRNO",
"defaultErrnoRet": 1,
"archMap": [
{
"architecture": "SCMP_ARCH_X86_64",
"subArchitectures": [
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
]
},
{
"architecture": "SCMP_ARCH_AARCH64",
"subArchitectures": [
"SCMP_ARCH_ARM"
]
}
],
"syscalls": [
{
"names": [
"accept",
"accept4",
"access",
"adjtimex",
"alarm",
"bind",
"brk",
"capget",
"capset",
"chdir",
"chmod",
"chown",
"chown32",
"clock_adjtime",
"clock_adjtime64",
"clock_getres",
"clock_getres_time64",
"clock_gettime",
"clock_gettime64",
"clock_nanosleep",
"clock_nanosleep_time64",
"close",
"close_range",
"connect",
"copy_file_range",
"creat",
"dup",
"dup2",
"dup3",
"epoll_create",
"epoll_create1",
"epoll_ctl",
"epoll_ctl_old",
"epoll_pwait",
"epoll_pwait2",
"epoll_wait",
"epoll_wait_old",
"eventfd",
"eventfd2",
"execve",
"execveat",
"exit",
"exit_group",
"faccessat",
"faccessat2",
"fadvise64",
"fadvise64_64",
"fallocate",
"fanotify_mark",
"fchdir",
"fchmod",
"fchmodat",
"fchown",
"fchown32",
"fchownat",
"fcntl",
"fcntl64",
"fdatasync",
"fgetxattr",
"flistxattr",
"flock",
"fork",
"fremovexattr",
"fsetxattr",
"fstat",
"fstat64",
"fstatat64",
"fstatfs",
"fstatfs64",
"fsync",
"ftruncate",
"ftruncate64",
"futex",
"futex_time64",
"futex_waitv",
"getcpu",
"getcwd",
"getdents",
"getdents64",
"getegid",
"getegid32",
"geteuid",
"geteuid32",
"getgid",
"getgid32",
"getgroups",
"getgroups32",
"getitimer",
"getpeername",
"getpgid",
"getpgrp",
"getpid",
"getppid",
"getpriority",
"getrandom",
"getresgid",
"getresgid32",
"getresuid",
"getresuid32",
"getrlimit",
"get_robust_list",
"getrusage",
"getsid",
"getsockname",
"getsockopt",
"get_thread_area",
"gettid",
"gettimeofday",
"getuid",
"getuid32",
"getxattr",
"inotify_add_watch",
"inotify_init",
"inotify_init1",
"inotify_rm_watch",
"io_cancel",
"ioctl",
"io_destroy",
"io_getevents",
"io_pgetevents",
"io_pgetevents_time64",
"ioprio_get",
"ioprio_set",
"io_setup",
"io_submit",
"io_uring_enter",
"io_uring_register",
"io_uring_setup",
"ipc",
"kill",
"lchown",
"lchown32",
"lgetxattr",
"link",
"linkat",
"listen",
"listxattr",
"llistxattr",
"lremovexattr",
"lseek",
"lsetxattr",
"lstat",
"lstat64",
"madvise",
"membarrier",
"memfd_create",
"mincore",
"mkdir",
"mkdirat",
"mknod",
"mknodat",
"mlock",
"mlock2",
"mlockall",
"mmap",
"mmap2",
"mprotect",
"mq_getsetattr",
"mq_notify",
"mq_open",
"mq_timedreceive",
"mq_timedreceive_time64",
"mq_timedsend",
"mq_timedsend_time64",
"mq_unlink",
"mremap",
"msgctl",
"msgget",
"msgrcv",
"msgsnd",
"msync",
"munlock",
"munlockall",
"munmap",
"nanosleep",
"newfstatat",
"open",
"openat",
"openat2",
"pause",
"pipe",
"pipe2",
"poll",
"ppoll",
"ppoll_time64",
"prctl",
"pread64",
"preadv",
"preadv2",
"prlimit64",
"pselect6",
"pselect6_time64",
"pwrite64",
"pwritev",
"pwritev2",
"read",
"readahead",
"readlink",
"readlinkat",
"readv",
"recv",
"recvfrom",
"recvmmsg",
"recvmmsg_time64",
"recvmsg",
"remap_file_pages",
"removexattr",
"rename",
"renameat",
"renameat2",
"restart_syscall",
"rmdir",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
"rt_sigqueueinfo",
"rt_sigreturn",
"rt_sigsuspend",
"rt_sigtimedwait",
"rt_sigtimedwait_time64",
"rt_tgsigqueueinfo",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
"sched_get_priority_max",
"sched_get_priority_min",
"sched_getscheduler",
"sched_rr_get_interval",
"sched_rr_get_interval_time64",
"sched_setaffinity",
"sched_setattr",
"sched_setparam",
"sched_setscheduler",
"sched_yield",
"seccomp",
"select",
"semctl",
"semget",
"semop",
"semtimedop",
"semtimedop_time64",
"send",
"sendfile",
"sendfile64",
"sendmmsg",
"sendmsg",
"sendto",
"setfsgid",
"setfsgid32",
"setfsuid",
"setfsuid32",
"setgid",
"setgid32",
"setgroups",
"setgroups32",
"setitimer",
"setpgid",
"setpriority",
"setregid",
"setregid32",
"setresgid",
"setresgid32",
"setresuid",
"setresuid32",
"setreuid",
"setreuid32",
"setrlimit",
"set_robust_list",
"setsid",
"setsockopt",
"set_thread_area",
"set_tid_address",
"setuid",
"setuid32",
"setxattr",
"shmat",
"shmctl",
"shmdt",
"shmget",
"shutdown",
"sigaltstack",
"signalfd",
"signalfd4",
"sigprocmask",
"sigreturn",
"socket",
"socketcall",
"socketpair",
"splice",
"stat",
"stat64",
"statfs",
"statfs64",
"statx",
"symlink",
"symlinkat",
"sync",
"sync_file_range",
"syncfs",
"sysinfo",
"tee",
"tgkill",
"time",
"timer_create",
"timer_delete",
"timer_getoverrun",
"timer_gettime",
"timer_gettime64",
"timer_settime",
"timer_settime64",
"timerfd_create",
"timerfd_gettime",
"timerfd_gettime64",
"timerfd_settime",
"timerfd_settime64",
"times",
"tkill",
"truncate",
"truncate64",
"ugetrlimit",
"umask",
"uname",
"unlink",
"unlinkat",
"utime",
"utimensat",
"utimensat_time64",
"utimes",
"vfork",
"vmsplice",
"wait4",
"waitid",
"waitpid",
"write",
"writev"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": [
"clone"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 2114060288,
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "Allow clone for thread creation only (no CLONE_NEWUSER)"
},
{
"names": [
"clone3"
],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 38,
"comment": "Block clone3 (not widely needed)"
}
]
}

169
configs/seccomp/server.json Normal file
View File

@@ -0,0 +1,169 @@
{
"defaultAction": "SCMP_ACT_ERRNO",
"defaultErrnoRet": 1,
"archMap": [
{
"architecture": "SCMP_ARCH_X86_64",
"subArchitectures": ["SCMP_ARCH_X86", "SCMP_ARCH_X32"]
}
],
"syscalls": [
{
"names": [
"accept", "accept4",
"access", "faccessat", "faccessat2",
"bind",
"brk",
"capget", "capset",
"chdir", "fchdir",
"chmod", "fchmod", "fchmodat",
"chown", "fchown", "fchownat", "lchown",
"clock_getres", "clock_gettime", "clock_nanosleep",
"clone", "clone3",
"close", "close_range",
"connect",
"copy_file_range",
"dup", "dup2", "dup3",
"epoll_create", "epoll_create1", "epoll_ctl", "epoll_pwait", "epoll_wait",
"eventfd", "eventfd2",
"execve", "execveat",
"exit", "exit_group",
"fadvise64",
"fallocate",
"fcntl",
"fdatasync",
"flock",
"fork",
"fstat", "fstatat64", "fstatfs", "fstatfs64",
"fsync",
"ftruncate",
"futex",
"getcpu",
"getcwd",
"getdents", "getdents64",
"getegid", "geteuid", "getgid", "getgroups",
"getitimer",
"getpeername",
"getpgid", "getpgrp", "getpid", "getppid",
"getpriority",
"getrandom",
"getresgid", "getresuid",
"getrlimit",
"getrusage",
"getsid",
"getsockname", "getsockopt",
"gettid",
"gettimeofday",
"getuid",
"inotify_add_watch", "inotify_init", "inotify_init1", "inotify_rm_watch",
"io_cancel", "io_destroy", "io_getevents", "io_setup", "io_submit",
"ioctl",
"kill",
"lgetxattr", "listxattr", "llistxattr",
"listen",
"lseek",
"lstat",
"madvise",
"memfd_create",
"mincore",
"mkdir", "mkdirat",
"mknod", "mknodat",
"mlock", "mlock2", "mlockall",
"mmap",
"mount",
"mprotect",
"mremap",
"msgctl", "msgget", "msgrcv", "msgsnd",
"msync",
"munlock", "munlockall",
"munmap",
"nanosleep",
"newfstatat",
"open", "openat", "openat2",
"pause",
"pipe", "pipe2",
"poll", "ppoll",
"prctl",
"pread64", "preadv", "preadv2",
"prlimit64",
"pselect6",
"pwrite64", "pwritev", "pwritev2",
"read", "readahead", "readlink", "readlinkat", "readv",
"recv", "recvfrom", "recvmmsg", "recvmsg",
"rename", "renameat", "renameat2",
"restart_syscall",
"rmdir",
"rt_sigaction", "rt_sigpending", "rt_sigprocmask", "rt_sigqueueinfo",
"rt_sigreturn", "rt_sigsuspend", "rt_sigtimedwait", "rt_tgsigqueueinfo",
"sched_getaffinity", "sched_getattr", "sched_getparam", "sched_getscheduler",
"sched_get_priority_max", "sched_get_priority_min",
"sched_setaffinity", "sched_setattr", "sched_setparam", "sched_setscheduler",
"sched_yield",
"seccomp",
"select",
"semctl", "semget", "semop", "semtimedop",
"send", "sendfile", "sendmmsg", "sendmsg", "sendto",
"set_robust_list",
"set_tid_address",
"setfsgid", "setfsuid",
"setgid", "setgroups",
"setitimer",
"setpgid", "setpriority",
"setregid", "setresgid", "setresuid", "setreuid",
"setsid",
"setsockopt",
"setuid",
"shmat", "shmctl", "shmdt", "shmget",
"shutdown",
"sigaltstack",
"signalfd", "signalfd4",
"socket", "socketpair",
"splice",
"stat", "statfs", "statx",
"symlink", "symlinkat",
"sync", "syncfs", "sync_file_range",
"sysinfo",
"tee",
"tgkill", "tkill",
"truncate",
"umask",
"umount2",
"uname",
"unlink", "unlinkat",
"utime", "utimensat", "utimes",
"vfork",
"vmsplice",
"wait4", "waitid", "waitpid",
"write", "writev"
],
"action": "SCMP_ACT_ALLOW"
},
{
"names": ["personality"],
"action": "SCMP_ACT_ALLOW",
"args": [
{"index": 0, "value": 0, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 8, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 131072, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 131080, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 4294967295, "op": "SCMP_CMP_EQ"}
]
},
{
"names": ["arch_prctl"],
"action": "SCMP_ACT_ALLOW",
"args": [
{"index": 0, "value": 4098, "op": "SCMP_CMP_EQ"}
]
},
{
"names": ["socket"],
"action": "SCMP_ACT_ALLOW",
"args": [
{"index": 0, "value": 1, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 2, "op": "SCMP_CMP_EQ"},
{"index": 0, "value": 10, "op": "SCMP_CMP_EQ"}
]
}
]
}

386
configs/seccomp/strict.json Executable file
View File

@@ -0,0 +1,386 @@
{
"comment": "Strict seccomp profile for minimal containers - blocks dangerous syscalls and restricts to essential operations only",
"defaultAction": "SCMP_ACT_ERRNO",
"defaultErrnoRet": 1,
"archMap": [
{
"architecture": "SCMP_ARCH_X86_64",
"subArchitectures": [
"SCMP_ARCH_X86",
"SCMP_ARCH_X32"
]
},
{
"architecture": "SCMP_ARCH_AARCH64",
"subArchitectures": [
"SCMP_ARCH_ARM"
]
}
],
"syscalls": [
{
"names": [
"accept",
"accept4",
"access",
"alarm",
"bind",
"brk",
"capget",
"chdir",
"clock_getres",
"clock_getres_time64",
"clock_gettime",
"clock_gettime64",
"clock_nanosleep",
"clock_nanosleep_time64",
"close",
"close_range",
"connect",
"dup",
"dup2",
"dup3",
"epoll_create",
"epoll_create1",
"epoll_ctl",
"epoll_pwait",
"epoll_pwait2",
"epoll_wait",
"eventfd",
"eventfd2",
"execve",
"execveat",
"exit",
"exit_group",
"faccessat",
"faccessat2",
"fadvise64",
"fadvise64_64",
"fcntl",
"fcntl64",
"fdatasync",
"fstat",
"fstat64",
"fstatat64",
"fstatfs",
"fstatfs64",
"fsync",
"futex",
"futex_time64",
"futex_waitv",
"getcpu",
"getcwd",
"getdents",
"getdents64",
"getegid",
"getegid32",
"geteuid",
"geteuid32",
"getgid",
"getgid32",
"getgroups",
"getgroups32",
"getpeername",
"getpgid",
"getpgrp",
"getpid",
"getppid",
"getpriority",
"getrandom",
"getresgid",
"getresgid32",
"getresuid",
"getresuid32",
"getrlimit",
"get_robust_list",
"getrusage",
"getsid",
"getsockname",
"getsockopt",
"get_thread_area",
"gettid",
"gettimeofday",
"getuid",
"getuid32",
"ioctl",
"kill",
"listen",
"lseek",
"lstat",
"lstat64",
"madvise",
"membarrier",
"mincore",
"mmap",
"mmap2",
"mprotect",
"mremap",
"msync",
"munmap",
"nanosleep",
"newfstatat",
"open",
"openat",
"openat2",
"pause",
"pipe",
"pipe2",
"poll",
"ppoll",
"ppoll_time64",
"prctl",
"pread64",
"preadv",
"preadv2",
"prlimit64",
"pselect6",
"pselect6_time64",
"pwrite64",
"pwritev",
"pwritev2",
"read",
"readlink",
"readlinkat",
"readv",
"recv",
"recvfrom",
"recvmmsg",
"recvmmsg_time64",
"recvmsg",
"restart_syscall",
"rseq",
"rt_sigaction",
"rt_sigpending",
"rt_sigprocmask",
"rt_sigqueueinfo",
"rt_sigreturn",
"rt_sigsuspend",
"rt_sigtimedwait",
"rt_sigtimedwait_time64",
"rt_tgsigqueueinfo",
"sched_getaffinity",
"sched_getattr",
"sched_getparam",
"sched_get_priority_max",
"sched_get_priority_min",
"sched_getscheduler",
"sched_rr_get_interval",
"sched_rr_get_interval_time64",
"sched_setaffinity",
"sched_setattr",
"sched_setparam",
"sched_setscheduler",
"sched_yield",
"seccomp",
"select",
"send",
"sendfile",
"sendfile64",
"sendmmsg",
"sendmsg",
"sendto",
"setfsgid",
"setfsgid32",
"setfsuid",
"setfsuid32",
"setgid",
"setgid32",
"setgroups",
"setgroups32",
"setpgid",
"setpriority",
"setregid",
"setregid32",
"setresgid",
"setresgid32",
"setresuid",
"setresuid32",
"setreuid",
"setreuid32",
"setrlimit",
"set_robust_list",
"setsid",
"setsockopt",
"set_thread_area",
"set_tid_address",
"setuid",
"setuid32",
"shutdown",
"sigaltstack",
"signalfd",
"signalfd4",
"sigprocmask",
"sigreturn",
"socket",
"socketcall",
"socketpair",
"stat",
"stat64",
"statfs",
"statfs64",
"statx",
"sysinfo",
"tgkill",
"time",
"timer_create",
"timer_delete",
"timer_getoverrun",
"timer_gettime",
"timer_gettime64",
"timer_settime",
"timer_settime64",
"timerfd_create",
"timerfd_gettime",
"timerfd_gettime64",
"timerfd_settime",
"timerfd_settime64",
"times",
"tkill",
"ugetrlimit",
"umask",
"uname",
"wait4",
"waitid",
"waitpid",
"write",
"writev"
],
"action": "SCMP_ACT_ALLOW",
"comment": "Essential syscalls for stateless services"
},
{
"names": [
"clone"
],
"action": "SCMP_ACT_ALLOW",
"args": [
{
"index": 0,
"value": 2114060288,
"op": "SCMP_CMP_MASKED_EQ"
}
],
"comment": "Allow clone for thread creation only (no CLONE_NEWUSER)"
}
],
"blockedSyscalls": {
"comment": "Explicitly blocked dangerous syscalls",
"syscalls": [
{
"names": [
"acct",
"add_key",
"bpf",
"clock_adjtime",
"clock_adjtime64",
"clock_settime",
"clock_settime64",
"clone3",
"create_module",
"delete_module",
"finit_module",
"get_kernel_syms",
"get_mempolicy",
"init_module",
"ioperm",
"iopl",
"kcmp",
"kexec_file_load",
"kexec_load",
"keyctl",
"lookup_dcookie",
"mbind",
"migrate_pages",
"modify_ldt",
"mount",
"move_pages",
"name_to_handle_at",
"nfsservctl",
"open_by_handle_at",
"perf_event_open",
"personality",
"pivot_root",
"process_vm_readv",
"process_vm_writev",
"ptrace",
"query_module",
"quotactl",
"quotactl_fd",
"reboot",
"request_key",
"set_mempolicy",
"setdomainname",
"sethostname",
"settimeofday",
"setns",
"stime",
"swapoff",
"swapon",
"sysfs",
"syslog",
"_sysctl",
"umount",
"umount2",
"unshare",
"uselib",
"userfaultfd",
"ustat",
"vm86",
"vm86old"
],
"action": "SCMP_ACT_ERRNO",
"errnoRet": 1,
"comment": "Block dangerous administrative and privileged syscalls"
}
]
},
"notes": {
"description": "Strict seccomp profile for minimal, stateless containers",
"use_cases": [
"Stateless API servers",
"Message queue consumers",
"Stream processing workers",
"Serverless functions",
"Minimal microservices"
],
"blocked_operations": [
"Kernel module loading",
"System time modification",
"Host mounting/unmounting",
"Process tracing (ptrace)",
"Namespace manipulation",
"BPF operations",
"Key management",
"Performance monitoring",
"Memory policy",
"Reboot/shutdown"
],
"allowed_operations": [
"File I/O (limited by Landlock)",
"Network operations",
"Thread management",
"Time reading",
"Signal handling",
"Memory management",
"Process management (limited)"
],
"security_notes": [
"This profile blocks all administrative syscalls",
"No kernel modification allowed",
"No debugging/tracing capabilities",
"No namespace creation (except thread cloning)",
"No module loading or unloading",
"No time manipulation",
"No host filesystem mounting",
"Combine with Landlock for filesystem restrictions",
"Use with minimal capabilities (ideally none)"
],
"testing": [
"Test thoroughly with your application before production",
"Monitor for SCMP_ACT_ERRNO returns (syscall denials)",
"Check logs for unexpected syscall usage",
"Use strace during testing to identify required syscalls",
"Example: strace -c -f -S name your-app 2>&1 | tail -n +3 | head -n -2 | awk '{print $NF}' | sort -u"
]
}
}