# Landlock Policy Template: Database Server (PostgreSQL, MySQL, MongoDB)
# This policy allows database operations with controlled filesystem access
# Version: 1.0

# Policy metadata
policy:
  name: database
  version: "1.0"
  description: "Landlock policy for database servers (PostgreSQL, MySQL, MongoDB, etc.)"
  category: database
  author: "ArmoredLinux"

# Filesystem access rules
filesystem:
  # Read-only access
  read_only:
    # Configuration files
    - path: /etc/postgresql
      recursive: true
      description: "PostgreSQL configuration"

    - path: /etc/mysql
      recursive: true
      description: "MySQL configuration"

    - path: /etc/mongod.conf
      recursive: false
      description: "MongoDB configuration"

    # System libraries
    - path: /usr/lib
      recursive: true
      description: "System libraries"

    - path: /lib
      recursive: true
      description: "System libraries"

    # SSL/TLS certificates
    - path: /etc/ssl/certs
      recursive: true
      description: "SSL certificates"

    # Timezone data (important for timestamp operations)
    - path: /usr/share/zoneinfo
      recursive: true
      description: "Timezone information"

    # DNS resolution
    - path: /etc/hosts
      recursive: false
      description: "Hosts file"

    - path: /etc/resolv.conf
      recursive: false
      description: "DNS resolver configuration"

    # Password files (for authentication)
    - path: /etc/passwd
      recursive: false
      description: "User database"

    - path: /etc/group
      recursive: false
      description: "Group database"

  # Read-write access (ephemeral)
  read_write_ephemeral:
    # Temporary files
    - path: /tmp
      recursive: true
      storage_type: tmpfs
      description: "Temporary files (tmpfs)"

    # Runtime state
    - path: /var/run
      recursive: true
      storage_type: tmpfs
      description: "Runtime state files"

    - path: /run
      recursive: true
      storage_type: tmpfs
      description: "Runtime state files"

    # PostgreSQL runtime
    - path: /var/run/postgresql
      recursive: true
      storage_type: tmpfs
      description: "PostgreSQL socket directory"

    # MySQL runtime
    - path: /var/run/mysqld
      recursive: true
      storage_type: tmpfs
      description: "MySQL socket directory"

  # Read-write access (persistent)
  read_write_persistent:
    # PostgreSQL data directory
    - path: /var/lib/postgresql
      recursive: true
      storage_type: persistent
      description: "PostgreSQL data directory"

    # MySQL data directory
    - path: /var/lib/mysql
      recursive: true
      storage_type: persistent
      description: "MySQL data directory"

    # MongoDB data directory
    - path: /var/lib/mongodb
      recursive: true
      storage_type: persistent
      description: "MongoDB data directory"

    # Logs
    - path: /var/log/postgresql
      recursive: true
      storage_type: persistent
      description: "PostgreSQL logs"

    - path: /var/log/mysql
      recursive: true
      storage_type: persistent
      description: "MySQL logs"

    - path: /var/log/mongodb
      recursive: true
      storage_type: persistent
      description: "MongoDB logs"

    # Backup directory (if using pg_dump, mysqldump, etc.)
    - path: /var/backups/database
      recursive: true
      storage_type: persistent
      description: "Database backups"

  # Execute access
  execute:
    # Database server binaries
    - path: /usr/lib/postgresql/*/bin/postgres
      description: "PostgreSQL server"

    - path: /usr/sbin/mysqld
      description: "MySQL server"

    - path: /usr/bin/mongod
      description: "MongoDB server"

    # Utility binaries (for maintenance scripts)
    - path: /usr/bin/pg_dump
      description: "PostgreSQL backup utility"

    - path: /usr/bin/mysqldump
      description: "MySQL backup utility"

# Network access
network:
  # Allow binding to database ports
  bind_ports:
    - port: 5432
      protocol: tcp
      description: "PostgreSQL"

    - port: 3306
      protocol: tcp
      description: "MySQL/MariaDB"

    - port: 27017
      protocol: tcp
      description: "MongoDB"

    - port: 6379
      protocol: tcp
      description: "Redis"

  # Allow outbound connections
  egress:
    # DNS lookups
    - port: 53
      protocol: udp
      description: "DNS queries"

    # NTP (for time synchronization - critical for databases)
    - port: 123
      protocol: udp
      description: "NTP time sync"

    # Database replication (PostgreSQL)
    - port: 5432
      protocol: tcp
      description: "PostgreSQL replication"

    # Database replication (MySQL)
    - port: 3306
      protocol: tcp
      description: "MySQL replication"

# Capabilities
# Databases need minimal capabilities
capabilities:
  # IPC_LOCK allows locking memory (prevents swapping of sensitive data)
  - CAP_IPC_LOCK

  # SETUID/SETGID for dropping privileges after initialization
  - CAP_SETUID
  - CAP_SETGID

  # CHOWN for managing file ownership
  - CAP_CHOWN

  # FOWNER for bypassing permission checks on owned files
  - CAP_FOWNER

  # DAC_READ_SEARCH for reading files during recovery
  # - CAP_DAC_READ_SEARCH  # Uncomment only if needed

# System calls allowed
syscalls:
  allow:
    # File operations
    - open
    - openat
    - read
    - write
    - close
    - stat
    - fstat
    - lstat
    - lseek
    - mmap
    - munmap
    - msync
    - madvise
    - fsync
    - fdatasync
    - ftruncate
    - fallocate
    - flock
    - unlink
    - rename

    # Directory operations
    - mkdir
    - rmdir
    - getdents
    - getdents64

    # Network operations
    - socket
    - bind
    - listen
    - accept
    - accept4
    - connect
    - sendto
    - recvfrom
    - sendmsg
    - recvmsg
    - setsockopt
    - getsockopt
    - shutdown

    # Process operations
    - fork
    - clone
    - execve
    - wait4
    - exit
    - exit_group
    - kill
    - getpid
    - getppid

    # Memory management
    - brk
    - mmap
    - munmap
    - mprotect
    - mlock
    - munlock
    - mlockall
    - munlockall

    # Time
    - gettimeofday
    - clock_gettime
    - clock_nanosleep
    - nanosleep

    # Synchronization
    - futex
    - semget
    - semop
    - semctl
    - shmget
    - shmat
    - shmdt
    - shmctl

    # Signals
    - rt_sigaction
    - rt_sigprocmask
    - rt_sigreturn

# Enforcement mode
enforcement:
  mode: strict
  log_violations: true
  require_landlock: true

# Security notes
notes: |
  Database containers require significant filesystem access for:
  1. Data files (MUST be persistent storage)
  2. Transaction logs (MUST be persistent storage)
  3. Temporary files for sorts and joins
  4. Socket files for IPC

  CRITICAL SECURITY CONSIDERATIONS:

  1. Data Directory Isolation:
     - /var/lib/postgresql, /var/lib/mysql, etc. should be on dedicated volumes
     - These directories MUST NOT be shared between containers
     - Use encryption at rest for sensitive data

  2. Network Isolation:
     - Bind only to necessary interfaces (not 0.0.0.0 in production)
     - Use firewall rules to restrict access to specific clients
     - Consider TLS/SSL for all connections

  3. Memory Locking:
     - CAP_IPC_LOCK allows locking memory to prevent swapping
     - Important for preventing sensitive data from being written to swap
     - Ensure adequate memory limits in container manifest

  4. Backup Security:
     - Backup directory should be read-only from application perspective
     - Use separate container/process for backup operations
     - Encrypt backups and verify integrity

  5. Replication:
     - For replicated databases, allow outbound connections to replica nodes
     - Use separate network namespace for replication traffic
     - Verify TLS certificates on replication connections

  PERFORMANCE NOTES:

  - Use persistent storage (not overlay) for data directories
  - Consider using dedicated block devices for I/O intensive workloads
  - Monitor for Landlock overhead (should be minimal for database workloads)

  Always test policies thoroughly with realistic workloads before production use.