ArmoredGate/volt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
volt/configs/landlock/webserver.landlock
Karl Clinger 0ebe75b2ca Volt CLI: source-available under AGPSL v5.0 
Complete infrastructure platform CLI:
- Container runtime (systemd-nspawn)
- VoltVisor VMs (Neutron Stardust / QEMU)
- Stellarium CAS (content-addressed storage)
- ORAS Registry
- GitOps integration
- Landlock LSM security
- Compose orchestration
- Mesh networking

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0
2026-03-21 02:08:15 -05:00

256 lines
5.9 KiB
Plaintext
Executable File
Raw Permalink Blame History

# Landlock Policy Template: Web Server (nginx, Apache, Caddy)
# This policy allows typical web server operations with minimal filesystem access
# Version: 1.0
# Policy metadata
policy:
name: webserver
version: "1.0"
description: "Landlock policy for web servers (nginx, Apache, Caddy, etc.)"
category: webserver
author: "ArmoredLinux"
# Filesystem access rules
# Landlock uses an allowlist approach - only explicitly listed paths are accessible
filesystem:
# Read-only access to application files
read_only:
# Web content directory
- path: /var/www
recursive: true
description: "Web content root"
# Configuration files (container-specific)
- path: /etc/nginx
recursive: true
description: "Nginx configuration"
- path: /etc/apache2
recursive: true
description: "Apache configuration"
- path: /etc/caddy
recursive: true
description: "Caddy configuration"
# SSL/TLS certificates
- path: /etc/ssl/certs
recursive: true
description: "SSL certificates"
- path: /etc/letsencrypt
recursive: true
description: "Let's Encrypt certificates"
# System libraries and dependencies
- path: /usr/lib
recursive: true
description: "System libraries"
- path: /lib
recursive: true
description: "System libraries"
# Timezone data
- path: /usr/share/zoneinfo
recursive: true
description: "Timezone information"
# DNS resolution
- path: /etc/hosts
recursive: false
description: "Hosts file"
- path: /etc/resolv.conf
recursive: false
description: "DNS resolver configuration"
# Read-write access (ephemeral)
read_write_ephemeral:
# Temporary files
- path: /tmp
recursive: true
storage_type: tmpfs
description: "Temporary files (tmpfs)"
# Runtime state
- path: /var/run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
- path: /run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
# Read-write access (persistent)
read_write_persistent:
# Logs
- path: /var/log/nginx
recursive: true
storage_type: persistent
description: "Nginx logs"
- path: /var/log/apache2
recursive: true
storage_type: persistent
description: "Apache logs"
- path: /var/log/caddy
recursive: true
storage_type: persistent
description: "Caddy logs"
# Cache directories
- path: /var/cache/nginx
recursive: true
storage_type: persistent
description: "Nginx cache"
- path: /var/cache/apache2
recursive: true
storage_type: persistent
description: "Apache cache"
# Upload directories (if needed)
- path: /var/www/uploads
recursive: true
storage_type: persistent
description: "Upload directory"
# Execute access
execute:
# Web server binaries
- path: /usr/sbin/nginx
description: "Nginx binary"
- path: /usr/sbin/apache2
description: "Apache binary"
- path: /usr/bin/caddy
description: "Caddy binary"
# Shell and utilities (only if needed for CGI/PHP-FPM)
# Comment out if not needed for better security
# - path: /bin/sh
# description: "Shell for CGI scripts"
# Network access
# These are enforced by systemd-nspawn and firewall rules, not Landlock
network:
# Allow binding to these ports
bind_ports:
- port: 80
protocol: tcp
description: "HTTP"
- port: 443
protocol: tcp
description: "HTTPS"
- port: 8080
protocol: tcp
description: "Alternative HTTP"
# Allow outbound connections to these destinations
egress:
# DNS lookups
- port: 53
protocol: udp
description: "DNS queries"
# NTP (for time synchronization)
- port: 123
protocol: udp
description: "NTP time sync"
# Backend API servers (configure as needed)
# - host: backend.example.com
# port: 8000
# protocol: tcp
# description: "Backend API"
# Capabilities (Linux capabilities to grant)
# Web servers typically need very few capabilities
capabilities:
# NET_BIND_SERVICE allows binding to ports < 1024
- CAP_NET_BIND_SERVICE
# CHOWN allows changing file ownership (for uploaded files)
# - CAP_CHOWN # Uncomment if needed
# SETUID/SETGID for dropping privileges
# - CAP_SETUID
# - CAP_SETGID
# System calls allowed (this is a Landlock extension)
# For full control, use seccomp profiles instead
syscalls:
# File operations
allow:
- open
- openat
- read
- write
- close
- stat
- fstat
- lseek
- mmap
- munmap
- sendfile
# Network operations
- socket
- bind
- listen
- accept
- accept4
- connect
- sendto
- recvfrom
- setsockopt
- getsockopt
# Process operations
- fork
- clone
- execve
- wait4
- exit
- exit_group
# Time
- gettimeofday
- clock_gettime
# Enforcement mode
enforcement:
# Mode: strict, permissive, or learning
# - strict: Violations are blocked and logged
# - permissive: Violations are logged but allowed
# - learning: Violations are logged for policy development
mode: strict
# Log violations to syslog
log_violations: true
# Fail closed if Landlock is not available
require_landlock: true
# Security notes
notes: |
This policy is designed for typical web servers serving static content
or proxying to backend services. Adjust paths based on your specific
web server and application requirements.
For PHP applications, you may need to add:
- /usr/bin/php or /usr/bin/php-fpm
- /var/lib/php/sessions (for PHP sessions)
For applications with uploads, ensure /var/www/uploads is writable
and consider additional restrictions on executable permissions.
Always test policies in permissive mode first before enforcing in production.
Reference in New Issue View Git Blame Copy Permalink