📚 Security Policy Configuration

Reference for cella's security policy system: seccomp profiles, AppArmor, and egress control.

Seccomp Profiles

cella provides three built-in seccomp profile tiers:

Strict

Default action: SCMP_ACT_ALLOW. Targeted SCMP_ACT_NOTIFY on dangerous syscalls — every flagged call triggers the operator approval overlay.

Best for high-security containers where every sensitive operation needs human approval
Dangerous syscalls: ptrace, mount, bpf, kexec_load, init_module, etc.

Moderate

Default action: SCMP_ACT_ALLOW. Dangerous syscalls are blocked outright with SCMP_ACT_ERRNO (returns EPERM). No approval overlay.

Good balance between security and convenience
Blocked syscalls: ptrace, mount, umount2, bpf, kexec_load, kexec_file_load, reboot, init_module, finit_module, delete_module

Permissive

Default action: SCMP_ACT_LOG. All syscalls are allowed but logged for visibility. No blocking, no approval.

Use for monitoring and profiling before applying stricter policies

AppArmor

cella reads AppArmor profile status from the LXD API (raw.apparmor config key). The Policy panel displays the active AppArmor profile per container.

Egress Control (nftables)

Per-container nftables rules are managed through the transparent proxy system:

PREROUTING REDIRECT chains per container
Domain allowlist with wildcard support (*.example.com)
All non-allowed domains require operator approval

DNS Monitoring

The DNS Monitor panel (D) captures DNS queries and supports per-domain allow/deny rules independent of the HTTP proxy.

LXD Config Keys Used

Key	Purpose
`raw.lxc`	Seccomp profile path (`lxc.seccomp.profile`)
`security.syscalls.deny`	BPF-based syscall deny list (set by `Z`)
`raw.apparmor`	AppArmor profile override
`security.nesting`	Allow nesting containers
`security.privileged`	Privileged container mode

← Home