ArmoredGate/volt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4f507335ecd75d449dd7f5456c7e1b216314f62f
volt/configs/landlock/database.landlock
Karl Clinger 0ebe75b2ca Volt CLI: source-available under AGPSL v5.0 
Complete infrastructure platform CLI:
- Container runtime (systemd-nspawn)
- VoltVisor VMs (Neutron Stardust / QEMU)
- Stellarium CAS (content-addressed storage)
- ORAS Registry
- GitOps integration
- Landlock LSM security
- Compose orchestration
- Mesh networking

Copyright (c) Armored Gates LLC. All rights reserved.
Licensed under AGPSL v5.0
2026-03-21 02:08:15 -05:00

356 lines
8.0 KiB
Plaintext
Executable File
Raw Blame History

# Landlock Policy Template: Database Server (PostgreSQL, MySQL, MongoDB)
# This policy allows database operations with controlled filesystem access
# Version: 1.0
# Policy metadata
policy:
name: database
version: "1.0"
description: "Landlock policy for database servers (PostgreSQL, MySQL, MongoDB, etc.)"
category: database
author: "ArmoredLinux"
# Filesystem access rules
filesystem:
# Read-only access
read_only:
# Configuration files
- path: /etc/postgresql
recursive: true
description: "PostgreSQL configuration"
- path: /etc/mysql
recursive: true
description: "MySQL configuration"
- path: /etc/mongod.conf
recursive: false
description: "MongoDB configuration"
# System libraries
- path: /usr/lib
recursive: true
description: "System libraries"
- path: /lib
recursive: true
description: "System libraries"
# SSL/TLS certificates
- path: /etc/ssl/certs
recursive: true
description: "SSL certificates"
# Timezone data (important for timestamp operations)
- path: /usr/share/zoneinfo
recursive: true
description: "Timezone information"
# DNS resolution
- path: /etc/hosts
recursive: false
description: "Hosts file"
- path: /etc/resolv.conf
recursive: false
description: "DNS resolver configuration"
# Password files (for authentication)
- path: /etc/passwd
recursive: false
description: "User database"
- path: /etc/group
recursive: false
description: "Group database"
# Read-write access (ephemeral)
read_write_ephemeral:
# Temporary files
- path: /tmp
recursive: true
storage_type: tmpfs
description: "Temporary files (tmpfs)"
# Runtime state
- path: /var/run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
- path: /run
recursive: true
storage_type: tmpfs
description: "Runtime state files"
# PostgreSQL runtime
- path: /var/run/postgresql
recursive: true
storage_type: tmpfs
description: "PostgreSQL socket directory"
# MySQL runtime
- path: /var/run/mysqld
recursive: true
storage_type: tmpfs
description: "MySQL socket directory"
# Read-write access (persistent)
read_write_persistent:
# PostgreSQL data directory
- path: /var/lib/postgresql
recursive: true
storage_type: persistent
description: "PostgreSQL data directory"
# MySQL data directory
- path: /var/lib/mysql
recursive: true
storage_type: persistent
description: "MySQL data directory"
# MongoDB data directory
- path: /var/lib/mongodb
recursive: true
storage_type: persistent
description: "MongoDB data directory"
# Logs
- path: /var/log/postgresql
recursive: true
storage_type: persistent
description: "PostgreSQL logs"
- path: /var/log/mysql
recursive: true
storage_type: persistent
description: "MySQL logs"
- path: /var/log/mongodb
recursive: true
storage_type: persistent
description: "MongoDB logs"
# Backup directory (if using pg_dump, mysqldump, etc.)
- path: /var/backups/database
recursive: true
storage_type: persistent
description: "Database backups"
# Execute access
execute:
# Database server binaries
- path: /usr/lib/postgresql/*/bin/postgres
description: "PostgreSQL server"
- path: /usr/sbin/mysqld
description: "MySQL server"
- path: /usr/bin/mongod
description: "MongoDB server"
# Utility binaries (for maintenance scripts)
- path: /usr/bin/pg_dump
description: "PostgreSQL backup utility"
- path: /usr/bin/mysqldump
description: "MySQL backup utility"
# Network access
network:
# Allow binding to database ports
bind_ports:
- port: 5432
protocol: tcp
description: "PostgreSQL"
- port: 3306
protocol: tcp
description: "MySQL/MariaDB"
- port: 27017
protocol: tcp
description: "MongoDB"
- port: 6379
protocol: tcp
description: "Redis"
# Allow outbound connections
egress:
# DNS lookups
- port: 53
protocol: udp
description: "DNS queries"
# NTP (for time synchronization - critical for databases)
- port: 123
protocol: udp
description: "NTP time sync"
# Database replication (PostgreSQL)
- port: 5432
protocol: tcp
description: "PostgreSQL replication"
# Database replication (MySQL)
- port: 3306
protocol: tcp
description: "MySQL replication"
# Capabilities
# Databases need minimal capabilities
capabilities:
# IPC_LOCK allows locking memory (prevents swapping of sensitive data)
- CAP_IPC_LOCK
# SETUID/SETGID for dropping privileges after initialization
- CAP_SETUID
- CAP_SETGID
# CHOWN for managing file ownership
- CAP_CHOWN
# FOWNER for bypassing permission checks on owned files
- CAP_FOWNER
# DAC_READ_SEARCH for reading files during recovery
# - CAP_DAC_READ_SEARCH # Uncomment only if needed
# System calls allowed
syscalls:
allow:
# File operations
- open
- openat
- read
- write
- close
- stat
- fstat
- lstat
- lseek
- mmap
- munmap
- msync
- madvise
- fsync
- fdatasync
- ftruncate
- fallocate
- flock
- unlink
- rename
# Directory operations
- mkdir
- rmdir
- getdents
- getdents64
# Network operations
- socket
- bind
- listen
- accept
- accept4
- connect
- sendto
- recvfrom
- sendmsg
- recvmsg
- setsockopt
- getsockopt
- shutdown
# Process operations
- fork
- clone
- execve
- wait4
- exit
- exit_group
- kill
- getpid
- getppid
# Memory management
- brk
- mmap
- munmap
- mprotect
- mlock
- munlock
- mlockall
- munlockall
# Time
- gettimeofday
- clock_gettime
- clock_nanosleep
- nanosleep
# Synchronization
- futex
- semget
- semop
- semctl
- shmget
- shmat
- shmdt
- shmctl
# Signals
- rt_sigaction
- rt_sigprocmask
- rt_sigreturn
# Enforcement mode
enforcement:
mode: strict
log_violations: true
require_landlock: true
# Security notes
notes: |
Database containers require significant filesystem access for:
1. Data files (MUST be persistent storage)
2. Transaction logs (MUST be persistent storage)
3. Temporary files for sorts and joins
4. Socket files for IPC
CRITICAL SECURITY CONSIDERATIONS:
1. Data Directory Isolation:
- /var/lib/postgresql, /var/lib/mysql, etc. should be on dedicated volumes
- These directories MUST NOT be shared between containers
- Use encryption at rest for sensitive data
2. Network Isolation:
- Bind only to necessary interfaces (not 0.0.0.0 in production)
- Use firewall rules to restrict access to specific clients
- Consider TLS/SSL for all connections
3. Memory Locking:
- CAP_IPC_LOCK allows locking memory to prevent swapping
- Important for preventing sensitive data from being written to swap
- Ensure adequate memory limits in container manifest
4. Backup Security:
- Backup directory should be read-only from application perspective
- Use separate container/process for backup operations
- Encrypt backups and verify integrity
5. Replication:
- For replicated databases, allow outbound connections to replica nodes
- Use separate network namespace for replication traffic
- Verify TLS certificates on replication connections
PERFORMANCE NOTES:
- Use persistent storage (not overlay) for data directories
- Consider using dedicated block devices for I/O intensive workloads
- Monitor for Landlock overhead (should be minimal for database workloads)
Always test policies thoroughly with realistic workloads before production use.
Reference in New Issue View Git Blame Copy Permalink