76 lines
1.4 KiB
Plaintext
76 lines
1.4 KiB
Plaintext
// Network/IOT Security Profile
|
|
// For embedded devices and IoT with minimal resources and strict isolation
|
|
|
|
profile "NetworkIOT" {
|
|
version "1.0"
|
|
description "Strict isolation with minimal resources for embedded devices"
|
|
|
|
// Isolation settings (strict for IoT security)
|
|
isolation {
|
|
level "Strict" // Mount + PID + network + IPC namespaces
|
|
|
|
namespaces {
|
|
mount true
|
|
pid true
|
|
network true
|
|
ipc true
|
|
user false
|
|
uts true
|
|
}
|
|
}
|
|
|
|
// Desktop integration (disabled for headless)
|
|
desktop {
|
|
integration false
|
|
themes false
|
|
fonts false
|
|
clipboard false
|
|
dbus false
|
|
}
|
|
|
|
// Network access (minimal for IoT)
|
|
network {
|
|
access "Minimal"
|
|
restrictions [
|
|
"no_local_network"
|
|
"whitelist_only"
|
|
]
|
|
allow_local_network false
|
|
whitelist [
|
|
"mqtt.example.com"
|
|
"api.example.com"
|
|
]
|
|
}
|
|
|
|
// Resource limits (minimal for embedded)
|
|
resources {
|
|
max_memory "512MB"
|
|
max_cpu 0.5
|
|
max_disk "256MB"
|
|
max_processes 20
|
|
max_open_files 128
|
|
}
|
|
|
|
// XDG enforcement (strict)
|
|
xdg {
|
|
enforce true
|
|
redirect_legacy true
|
|
strict_mode true
|
|
}
|
|
|
|
// Security settings (maximum for IoT)
|
|
security {
|
|
allow_system_units false
|
|
audit_logging "Full"
|
|
network_namespace true
|
|
filesystem_isolation true
|
|
read_only_root true
|
|
}
|
|
|
|
// Default packages for IoT
|
|
recommended_packages [
|
|
"busybox"
|
|
"mosquitto"
|
|
]
|
|
}
|