SecAI-Hub
diff --git a/‎files/system/etc/secure-ai/config/appliance.yaml‎
Lines changed: 35 additions & 0 deletions b/‎files/system/etc/secure-ai/config/appliance.yaml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎files/system/etc/secure-ai/policy/landlock.yaml‎
Lines changed: 176 additions & 0 deletions b/‎files/system/etc/secure-ai/policy/landlock.yaml‎
Lines changed: 176 additions & 0 deletions
diff --git a/‎files/system/etc/secure-ai/seccomp/airlock.json‎
Lines changed: 76 additions & 0 deletions b/‎files/system/etc/secure-ai/seccomp/airlock.json‎
Lines changed: 76 additions & 0 deletions
diff --git a/‎files/system/etc/secure-ai/seccomp/diffusion.json‎
Lines changed: 90 additions & 0 deletions b/‎files/system/etc/secure-ai/seccomp/diffusion.json‎
Lines changed: 90 additions & 0 deletions
@@ -66,6 +66,41 @@ monitoring:
   # On mismatch: model is quarantined, removed from manifest, workers restarted.
   integrity_interval: 15  # minutes (5, 15, 30, or 60)
 
+  # Audit log chain verification interval (minutes). Walks every hash-chained
+  # audit log and verifies the chain is intact. On break: snapshots the broken
+  # log and raises a CRITICAL alert.
+  audit_interval: 30  # minutes
+
+vault:
+  # Auto-lock timeout in minutes. After this period of inactivity the vault
+  # is automatically locked (unmounted + LUKS closed), stopping all AI services.
+  # Set to 0 to disable auto-lock (not recommended).
+  auto_lock_timeout: 30
+  # How often the watchdog checks for inactivity (seconds).
+  check_interval: 30
+
+auth:
+  # Session timeout in minutes. After this period of inactivity the user
+  # must re-authenticate. Setting to 0 disables timeout (not recommended).
+  session_timeout: 30
+  # Maximum failed login attempts before lockout.
+  max_failed_attempts: 5
+  # Initial lockout duration in seconds after max_failed_attempts.
+  lockout_duration: 60
+  # Escalated lockout after 15 failed attempts (seconds).
+  escalated_lockout: 900
+
+sandbox:
+  # Per-service process isolation (M16).
+  # seccomp: JSON profiles in /etc/secure-ai/seccomp/ define allowed syscalls.
+  # landlock: YAML policy in /etc/secure-ai/policy/landlock.yaml restricts filesystem access.
+  # Both are enabled by default. If Landlock is unavailable (kernel < 5.13),
+  # enforcement is skipped with a warning.
+  seccomp_enabled: true
+  landlock_enabled: true
+  # Core dump prevention across all services (LimitCORE=0).
+  core_dumps_disabled: true
+
 logging:
   level: "info"
   store_raw_prompts: false
 
@@ -0,0 +1,176 @@
+# Landlock LSM Filesystem Access Policies
+#
+# Per-service filesystem access allowlists. Each service is restricted to
+# only the paths listed here. Access types:
+#   ro  = read-only (LANDLOCK_ACCESS_FS_READ_FILE + READ_DIR)
+#   rw  = read-write (all read + WRITE_FILE + REMOVE_FILE + MAKE_REG + MAKE_DIR)
+#   exe = execute (LANDLOCK_ACCESS_FS_EXECUTE)
+#
+# These policies are applied by the landlock-apply helper at service start.
+# If Landlock is not available (kernel < 5.13), the policies are skipped
+# with a warning in the audit log.
+
+version: 1
+
+services:
+  inference:
+    description: "Inference worker — read-only model access, no output writes"
+    paths:
+      - path: /var/lib/secure-ai/registry
+        access: ro
+      - path: /etc/secure-ai
+        access: ro
+      - path: /usr/bin/llama-server
+        access: exe
+      - path: /usr/lib
+        access: ro
+      - path: /usr/lib64
+        access: ro
+      - path: /tmp
+        access: rw
+
+  diffusion:
+    description: "Diffusion worker — model read, output write"
+    paths:
+      - path: /var/lib/secure-ai/registry
+        access: ro
+      - path: /var/lib/secure-ai/vault/outputs
+        access: rw
+      - path: /etc/secure-ai
+        access: ro
+      - path: /usr/bin/python3
+        access: exe
+      - path: /usr/lib
+        access: ro
+      - path: /usr/lib64
+        access: ro
+      - path: /opt/secure-ai/services
+        access: ro
+      - path: /tmp
+        access: rw
+
+  registry:
+    description: "Trusted registry — manifest + model store read-write, config read-only"
+    paths:
+      - path: /var/lib/secure-ai/registry
+        access: rw
+      - path: /var/lib/secure-ai/logs
+        access: rw
+      - path: /etc/secure-ai
+        access: ro
+      - path: /usr/libexec/secure-ai/registry
+        access: exe
+      - path: /usr/lib
+        access: ro
+      - path: /usr/lib64
+        access: ro
+      - path: /tmp
+        access: rw
+
+  ui:
+    description: "Web UI — quarantine write, auth write, logs write, config read-only"
+    paths:
+      - path: /var/lib/secure-ai/quarantine
+        access: rw
+      - path: /var/lib/secure-ai/auth
+        access: rw
+      - path: /var/lib/secure-ai/logs
+        access: rw
+      - path: /run/secure-ai
+        access: rw
+      - path: /etc/secure-ai
+        access: ro
+      - path: /usr/libexec/secure-ai/ui
+        access: exe
+      - path: /usr/bin/python3
+        access: exe
+      - path: /usr/lib
+        access: ro
+      - path: /usr/lib64
+        access: ro
+      - path: /opt/secure-ai/services
+        access: ro
+      - path: /tmp
+        access: rw
+
+  tool_firewall:
+    description: "Tool firewall — policy read, vault read-only, audit log write"
+    paths:
+      - path: /var/lib/secure-ai/vault
+        access: ro
+      - path: /var/lib/secure-ai/logs
+        access: rw
+      - path: /etc/secure-ai
+        access: ro
+      - path: /usr/libexec/secure-ai/tool-firewall
+        access: exe
+      - path: /usr/lib
+        access: ro
+      - path: /usr/lib64
+        access: ro
+      - path: /tmp
+        access: rw
+
+  quarantine:
+    description: "Quarantine watcher — quarantine rw, registry rw, logs rw"
+    paths:
+      - path: /var/lib/secure-ai/quarantine
+        access: rw
+      - path: /var/lib/secure-ai/registry
+        access: rw
+      - path: /var/lib/secure-ai/logs
+        access: rw
+      - path: /etc/secure-ai
+        access: ro
+      - path: /usr/bin/python3
+        access: exe
+      - path: /usr/bin/llama-server
+        access: exe
+      - path: /usr/bin/sha256sum
+        access: exe
+      - path: /usr/bin/cosign
+        access: exe
+      - path: /usr/lib
+        access: ro
+      - path: /usr/lib64
+        access: ro
+      - path: /opt/secure-ai/services
+        access: ro
+      - path: /tmp
+        access: rw
+
+  airlock:
+    description: "Airlock — policy read, logs write, outbound network (not restricted by Landlock)"
+    paths:
+      - path: /var/lib/secure-ai/logs
+        access: rw
+      - path: /etc/secure-ai
+        access: ro
+      - path: /usr/libexec/secure-ai/airlock
+        access: exe
+      - path: /usr/lib
+        access: ro
+      - path: /usr/lib64
+        access: ro
+      - path: /tmp
+        access: rw
+
+  search_mediator:
+    description: "Search mediator — config read, logs write"
+    paths:
+      - path: /var/lib/secure-ai/logs
+        access: rw
+      - path: /etc/secure-ai
+        access: ro
+      - path: /usr/libexec/secure-ai/search-mediator
+        access: exe
+      - path: /usr/bin/python3
+        access: exe
+      - path: /usr/lib
+        access: ro
+      - path: /usr/lib64
+        access: ro
+      - path: /opt/secure-ai/services
+        access: ro
+      - path: /tmp
+        access: rw
@@ -0,0 +1,76 @@
+{
+  "_comment": "Seccomp profile for airlock (Go binary). ONLY service with outbound network. No exec, no raw device access, file write only to audit logs.",
+  "defaultAction": "SCMP_ACT_ERRNO",
+  "defaultErrnoRet": 1,
+  "archMap": [
+    { "architecture": "SCMP_ARCH_X86_64", "subArchitectures": ["SCMP_ARCH_X86"] },
+    { "architecture": "SCMP_ARCH_AARCH64", "subArchitectures": [] }
+  ],
+  "syscalls": [
+    {
+      "_comment": "Core process lifecycle",
+      "names": [
+        "read", "write", "close", "fstat", "lstat", "stat", "newfstatat",
+        "lseek", "mmap", "mprotect", "munmap", "brk", "mremap",
+        "rt_sigaction", "rt_sigprocmask", "rt_sigreturn",
+        "pread64", "pwrite64", "readv", "writev",
+        "access", "pipe", "pipe2", "dup", "dup2", "dup3",
+        "getpid", "getuid", "getgid", "geteuid", "getegid",
+        "getppid", "gettid", "getdents64",
+        "clone", "clone3", "wait4",
+        "exit", "exit_group",
+        "futex", "futex_waitv",
+        "set_robust_list", "get_robust_list",
+        "nanosleep", "clock_nanosleep", "clock_gettime", "clock_getres",
+        "gettimeofday",
+        "sched_yield", "sched_getaffinity",
+        "set_tid_address",
+        "arch_prctl", "prctl",
+        "getrandom", "rseq"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "File operations (policy read, audit log write)",
+      "names": [
+        "open", "openat", "openat2", "fcntl",
+        "fadvise64",
+        "ftruncate", "fsync", "fdatasync",
+        "readlink", "readlinkat",
+        "statx", "statfs", "fstatfs",
+        "getcwd", "umask"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "Event polling (Go runtime)",
+      "names": [
+        "epoll_create", "epoll_create1", "epoll_ctl", "epoll_wait", "epoll_pwait",
+        "poll", "ppoll", "select", "pselect6",
+        "eventfd", "eventfd2",
+        "timerfd_create", "timerfd_settime", "timerfd_gettime"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "Network — outbound (HTTPS to allowlisted URLs) + localhost (:8490)",
+      "names": [
+        "socket", "bind", "listen", "accept", "accept4",
+        "connect", "getsockopt", "setsockopt",
+        "getsockname", "getpeername",
+        "sendto", "recvfrom", "sendmsg", "recvmsg",
+        "shutdown"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "Go runtime internals",
+      "names": [
+        "madvise", "sigaltstack",
+        "tgkill", "tkill",
+        "set_thread_area", "get_thread_area"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    }
+  ]
+}
@@ -0,0 +1,90 @@
+{
+  "_comment": "Seccomp profile for diffusion worker (Python). Same as inference (GPU ioctl) plus image/video write syscalls. No outbound network.",
+  "defaultAction": "SCMP_ACT_ERRNO",
+  "defaultErrnoRet": 1,
+  "archMap": [
+    { "architecture": "SCMP_ARCH_X86_64", "subArchitectures": ["SCMP_ARCH_X86"] },
+    { "architecture": "SCMP_ARCH_AARCH64", "subArchitectures": [] }
+  ],
+  "syscalls": [
+    {
+      "_comment": "Core process lifecycle",
+      "names": [
+        "read", "write", "close", "fstat", "lstat", "stat", "newfstatat",
+        "lseek", "mmap", "mprotect", "munmap", "brk", "mremap",
+        "rt_sigaction", "rt_sigprocmask", "rt_sigreturn",
+        "pread64", "pwrite64", "readv", "writev",
+        "access", "pipe", "pipe2", "dup", "dup2", "dup3",
+        "getpid", "getuid", "getgid", "geteuid", "getegid",
+        "getppid", "gettid", "getdents64",
+        "clone", "clone3", "wait4", "waitid",
+        "exit", "exit_group",
+        "futex", "futex_waitv",
+        "set_robust_list", "get_robust_list",
+        "nanosleep", "clock_nanosleep", "clock_gettime", "clock_getres",
+        "gettimeofday",
+        "sched_yield", "sched_getaffinity", "sched_setaffinity",
+        "set_tid_address",
+        "arch_prctl", "prctl",
+        "getrandom", "rseq"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "File operations (model read + output write)",
+      "names": [
+        "open", "openat", "openat2", "fcntl",
+        "fadvise64", "fallocate",
+        "rename", "renameat", "renameat2",
+        "unlink", "unlinkat",
+        "mkdir", "mkdirat",
+        "ftruncate", "fsync", "fdatasync",
+        "readlink", "readlinkat",
+        "statx", "statfs", "fstatfs",
+        "getcwd", "umask", "fchmod", "fchmodat",
+        "copy_file_range", "sendfile"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "GPU ioctl — required for CUDA/ROCm/Vulkan",
+      "names": ["ioctl"],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "Memory-mapped I/O for model loading",
+      "names": ["madvise", "mincore", "msync"],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "Event polling",
+      "names": [
+        "epoll_create", "epoll_create1", "epoll_ctl", "epoll_wait", "epoll_pwait",
+        "poll", "ppoll", "select", "pselect6",
+        "eventfd", "eventfd2",
+        "timerfd_create", "timerfd_settime", "timerfd_gettime"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "Localhost socket for health check only (bound by PrivateNetwork)",
+      "names": [
+        "socket", "bind", "listen", "accept", "accept4",
+        "connect", "getsockopt", "setsockopt",
+        "getsockname", "getpeername",
+        "sendto", "recvfrom", "sendmsg", "recvmsg",
+        "shutdown"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    },
+    {
+      "_comment": "Thread management + Python runtime",
+      "names": [
+        "set_thread_area", "get_thread_area",
+        "tgkill", "tkill",
+        "sigaltstack"
+      ],
+      "action": "SCMP_ACT_ALLOW"
+    }
+  ]
+}