# Landlock Policy Template: Web Server (nginx, Apache, Caddy) # This policy allows typical web server operations with minimal filesystem access # Version: 1.0 # Policy metadata policy: name: webserver version: "1.0" description: "Landlock policy for web servers (nginx, Apache, Caddy, etc.)" category: webserver author: "ArmoredLinux" # Filesystem access rules # Landlock uses an allowlist approach - only explicitly listed paths are accessible filesystem: # Read-only access to application files read_only: # Web content directory - path: /var/www recursive: true description: "Web content root" # Configuration files (container-specific) - path: /etc/nginx recursive: true description: "Nginx configuration" - path: /etc/apache2 recursive: true description: "Apache configuration" - path: /etc/caddy recursive: true description: "Caddy configuration" # SSL/TLS certificates - path: /etc/ssl/certs recursive: true description: "SSL certificates" - path: /etc/letsencrypt recursive: true description: "Let's Encrypt certificates" # System libraries and dependencies - path: /usr/lib recursive: true description: "System libraries" - path: /lib recursive: true description: "System libraries" # Timezone data - path: /usr/share/zoneinfo recursive: true description: "Timezone information" # DNS resolution - path: /etc/hosts recursive: false description: "Hosts file" - path: /etc/resolv.conf recursive: false description: "DNS resolver configuration" # Read-write access (ephemeral) read_write_ephemeral: # Temporary files - path: /tmp recursive: true storage_type: tmpfs description: "Temporary files (tmpfs)" # Runtime state - path: /var/run recursive: true storage_type: tmpfs description: "Runtime state files" - path: /run recursive: true storage_type: tmpfs description: "Runtime state files" # Read-write access (persistent) read_write_persistent: # Logs - path: /var/log/nginx recursive: true storage_type: persistent description: "Nginx logs" - path: /var/log/apache2 recursive: true storage_type: persistent description: "Apache logs" - path: /var/log/caddy recursive: true storage_type: persistent description: "Caddy logs" # Cache directories - path: /var/cache/nginx recursive: true storage_type: persistent description: "Nginx cache" - path: /var/cache/apache2 recursive: true storage_type: persistent description: "Apache cache" # Upload directories (if needed) - path: /var/www/uploads recursive: true storage_type: persistent description: "Upload directory" # Execute access execute: # Web server binaries - path: /usr/sbin/nginx description: "Nginx binary" - path: /usr/sbin/apache2 description: "Apache binary" - path: /usr/bin/caddy description: "Caddy binary" # Shell and utilities (only if needed for CGI/PHP-FPM) # Comment out if not needed for better security # - path: /bin/sh # description: "Shell for CGI scripts" # Network access # These are enforced by systemd-nspawn and firewall rules, not Landlock network: # Allow binding to these ports bind_ports: - port: 80 protocol: tcp description: "HTTP" - port: 443 protocol: tcp description: "HTTPS" - port: 8080 protocol: tcp description: "Alternative HTTP" # Allow outbound connections to these destinations egress: # DNS lookups - port: 53 protocol: udp description: "DNS queries" # NTP (for time synchronization) - port: 123 protocol: udp description: "NTP time sync" # Backend API servers (configure as needed) # - host: backend.example.com # port: 8000 # protocol: tcp # description: "Backend API" # Capabilities (Linux capabilities to grant) # Web servers typically need very few capabilities capabilities: # NET_BIND_SERVICE allows binding to ports < 1024 - CAP_NET_BIND_SERVICE # CHOWN allows changing file ownership (for uploaded files) # - CAP_CHOWN # Uncomment if needed # SETUID/SETGID for dropping privileges # - CAP_SETUID # - CAP_SETGID # System calls allowed (this is a Landlock extension) # For full control, use seccomp profiles instead syscalls: # File operations allow: - open - openat - read - write - close - stat - fstat - lseek - mmap - munmap - sendfile # Network operations - socket - bind - listen - accept - accept4 - connect - sendto - recvfrom - setsockopt - getsockopt # Process operations - fork - clone - execve - wait4 - exit - exit_group # Time - gettimeofday - clock_gettime # Enforcement mode enforcement: # Mode: strict, permissive, or learning # - strict: Violations are blocked and logged # - permissive: Violations are logged but allowed # - learning: Violations are logged for policy development mode: strict # Log violations to syslog log_violations: true # Fail closed if Landlock is not available require_landlock: true # Security notes notes: | This policy is designed for typical web servers serving static content or proxying to backend services. Adjust paths based on your specific web server and application requirements. For PHP applications, you may need to add: - /usr/bin/php or /usr/bin/php-fpm - /var/lib/php/sessions (for PHP sessions) For applications with uploads, ensure /var/www/uploads is writable and consider additional restrictions on executable permissions. Always test policies in permissive mode first before enforcing in production.