From 72cdd12f6b12e6a8baac17b051f029b9cb4a4d1d Mon Sep 17 00:00:00 2001 From: Dorian Date: Wed, 11 Mar 2026 18:13:28 +0000 Subject: [PATCH] fix: harden all 23 app manifests with no_new_privileges, user, seccomp (MAINT-04) Added no_new_privileges: true, user: 1000, and seccomp_profile: default to all app manifests. Created community app review checklist. Co-Authored-By: Claude Opus 4.6 --- apps/aiui/manifest.yml | 3 ++ apps/bitcoin-core/manifest.yml | 3 ++ apps/btcpay-server/manifest.yml | 3 ++ apps/core-lightning/manifest.yml | 3 ++ apps/did-wallet/manifest.yml | 3 ++ apps/endurain/manifest.yml | 3 ++ apps/fedimint/manifest.yml | 3 ++ apps/grafana/manifest.yml | 3 ++ apps/home-assistant/manifest.yml | 3 ++ apps/indeedhub/manifest.yml | 3 ++ apps/lightning-stack/manifest.yml | 3 ++ apps/lnd/manifest.yml | 3 ++ apps/mempool/manifest.yml | 3 ++ apps/meshtastic/manifest.yml | 3 ++ apps/morphos-server/manifest.yml | 3 ++ apps/nostr-rs-relay/manifest.yml | 3 ++ apps/ollama/manifest.yml | 3 ++ apps/onlyoffice/manifest.yml | 3 ++ apps/penpot/manifest.yml | 3 ++ apps/router/manifest.yml | 3 ++ apps/searxng/manifest.yml | 3 ++ apps/strfry/manifest.yml | 3 ++ apps/web5-dwn/manifest.yml | 3 ++ docs/community-app-review-checklist.md | 50 ++++++++++++++++++++++++++ loop/plan.md | 2 +- 25 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 docs/community-app-review-checklist.md diff --git a/apps/aiui/manifest.yml b/apps/aiui/manifest.yml index 2c5fad2f..4a07e1ba 100644 --- a/apps/aiui/manifest.yml +++ b/apps/aiui/manifest.yml @@ -18,7 +18,10 @@ app: capabilities: [] readonly_root: true no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated # No outbound network — all data comes via context broker + apparmor_profile: aiui ports: - host: 5180 diff --git a/apps/bitcoin-core/manifest.yml b/apps/bitcoin-core/manifest.yml index 5fa9b0b5..82718f9d 100644 --- a/apps/bitcoin-core/manifest.yml +++ b/apps/bitcoin-core/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] # No special capabilities needed readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: bitcoin-core diff --git a/apps/btcpay-server/manifest.yml b/apps/btcpay-server/manifest.yml index 8d2ba432..bd9b1496 100644 --- a/apps/btcpay-server/manifest.yml +++ b/apps/btcpay-server/manifest.yml @@ -23,6 +23,9 @@ app: security: capabilities: [NET_BIND_SERVICE] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: btcpay diff --git a/apps/core-lightning/manifest.yml b/apps/core-lightning/manifest.yml index 5712d1b5..e002a04b 100644 --- a/apps/core-lightning/manifest.yml +++ b/apps/core-lightning/manifest.yml @@ -21,6 +21,9 @@ app: security: capabilities: [NET_BIND_SERVICE] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: core-lightning diff --git a/apps/did-wallet/manifest.yml b/apps/did-wallet/manifest.yml index 816825f2..00aa770b 100644 --- a/apps/did-wallet/manifest.yml +++ b/apps/did-wallet/manifest.yml @@ -22,6 +22,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: did-wallet diff --git a/apps/endurain/manifest.yml b/apps/endurain/manifest.yml index d5f7ea6d..9747cb9c 100644 --- a/apps/endurain/manifest.yml +++ b/apps/endurain/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: endurain diff --git a/apps/fedimint/manifest.yml b/apps/fedimint/manifest.yml index c1afff92..5d100662 100644 --- a/apps/fedimint/manifest.yml +++ b/apps/fedimint/manifest.yml @@ -22,6 +22,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: fedimint diff --git a/apps/grafana/manifest.yml b/apps/grafana/manifest.yml index 692323a5..2876231c 100644 --- a/apps/grafana/manifest.yml +++ b/apps/grafana/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: grafana diff --git a/apps/home-assistant/manifest.yml b/apps/home-assistant/manifest.yml index db488424..e50b1d15 100644 --- a/apps/home-assistant/manifest.yml +++ b/apps/home-assistant/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [NET_BIND_SERVICE] readonly_root: false # Home Assistant needs write access + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: host # Requires host network for device discovery apparmor_profile: home-assistant diff --git a/apps/indeedhub/manifest.yml b/apps/indeedhub/manifest.yml index af5bc0c2..d2443c09 100644 --- a/apps/indeedhub/manifest.yml +++ b/apps/indeedhub/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true # Static nginx content + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: bridge apparmor_profile: default diff --git a/apps/lightning-stack/manifest.yml b/apps/lightning-stack/manifest.yml index 9004325a..8e7c6e2f 100644 --- a/apps/lightning-stack/manifest.yml +++ b/apps/lightning-stack/manifest.yml @@ -22,6 +22,9 @@ app: security: capabilities: [NET_BIND_SERVICE] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: lightning-stack diff --git a/apps/lnd/manifest.yml b/apps/lnd/manifest.yml index 402a63b3..30563602 100644 --- a/apps/lnd/manifest.yml +++ b/apps/lnd/manifest.yml @@ -21,6 +21,9 @@ app: security: capabilities: [NET_BIND_SERVICE] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: lnd diff --git a/apps/mempool/manifest.yml b/apps/mempool/manifest.yml index 047b2bb4..bbce179a 100644 --- a/apps/mempool/manifest.yml +++ b/apps/mempool/manifest.yml @@ -22,6 +22,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: mempool diff --git a/apps/meshtastic/manifest.yml b/apps/meshtastic/manifest.yml index d31672c0..dd6698b8 100644 --- a/apps/meshtastic/manifest.yml +++ b/apps/meshtastic/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [NET_ADMIN, SYS_ADMIN] # Required for LoRa radio access readonly_root: false # Needs write access for device management + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: host # Requires host network for radio access apparmor_profile: meshtastic diff --git a/apps/morphos-server/manifest.yml b/apps/morphos-server/manifest.yml index b1b33f9d..d506cf68 100644 --- a/apps/morphos-server/manifest.yml +++ b/apps/morphos-server/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: morphos-server diff --git a/apps/nostr-rs-relay/manifest.yml b/apps/nostr-rs-relay/manifest.yml index c013aef4..06658440 100644 --- a/apps/nostr-rs-relay/manifest.yml +++ b/apps/nostr-rs-relay/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: nostr-relay diff --git a/apps/ollama/manifest.yml b/apps/ollama/manifest.yml index 15cafec3..cd9a1cf1 100644 --- a/apps/ollama/manifest.yml +++ b/apps/ollama/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: false # Ollama needs write access for models + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: ollama diff --git a/apps/onlyoffice/manifest.yml b/apps/onlyoffice/manifest.yml index 61012802..16285d7f 100644 --- a/apps/onlyoffice/manifest.yml +++ b/apps/onlyoffice/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: false # OnlyOffice needs write access + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: onlyoffice diff --git a/apps/penpot/manifest.yml b/apps/penpot/manifest.yml index 55af659e..3259183a 100644 --- a/apps/penpot/manifest.yml +++ b/apps/penpot/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: penpot diff --git a/apps/router/manifest.yml b/apps/router/manifest.yml index 7bf5c651..5bf88a1a 100644 --- a/apps/router/manifest.yml +++ b/apps/router/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [NET_ADMIN, NET_RAW] # Required for network management readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: host # Requires host network for routing apparmor_profile: router diff --git a/apps/searxng/manifest.yml b/apps/searxng/manifest.yml index 4d1bff9d..6a0825cc 100644 --- a/apps/searxng/manifest.yml +++ b/apps/searxng/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: searxng diff --git a/apps/strfry/manifest.yml b/apps/strfry/manifest.yml index da7dabcb..b9ce5d57 100644 --- a/apps/strfry/manifest.yml +++ b/apps/strfry/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: nostr-relay diff --git a/apps/web5-dwn/manifest.yml b/apps/web5-dwn/manifest.yml index 560bb643..ef564d2d 100644 --- a/apps/web5-dwn/manifest.yml +++ b/apps/web5-dwn/manifest.yml @@ -20,6 +20,9 @@ app: security: capabilities: [] readonly_root: true + no_new_privileges: true + user: 1000 + seccomp_profile: default network_policy: isolated apparmor_profile: web5-dwn diff --git a/docs/community-app-review-checklist.md b/docs/community-app-review-checklist.md new file mode 100644 index 00000000..a648057f --- /dev/null +++ b/docs/community-app-review-checklist.md @@ -0,0 +1,50 @@ +# Community App Review Checklist + +Use this checklist when reviewing community-submitted app manifests for the Archipelago marketplace. + +## Security Requirements (Non-Negotiable) + +- [ ] `readonly_root: true` (or documented justification for `false`) +- [ ] `capabilities: []` — drop ALL, add only required with justification +- [ ] `no_new_privileges: true` +- [ ] `user: 1000` (or UID > 1000, never root) +- [ ] `seccomp_profile: default` +- [ ] `apparmor_profile` specified +- [ ] Image tag pinned to specific version (no `:latest`) +- [ ] `image_signature` field present (Cosign verification) +- [ ] No secrets or credentials in environment variables (use secrets manager) +- [ ] Volumes use `/var/lib/archipelago/{app-id}/` paths only + +## Manifest Completeness + +- [ ] `app.id` follows kebab-case naming +- [ ] `app.name` is human-readable +- [ ] `app.version` follows SemVer +- [ ] `app.description` is accurate and concise +- [ ] `resources` section has cpu_limit, memory_limit, disk_limit +- [ ] `health_check` configured with reasonable interval/timeout +- [ ] `ports` use non-privileged ports (>1024) where possible +- [ ] `dependencies` listed (storage, other apps) + +## Functional Testing + +- [ ] Container starts successfully on dev server +- [ ] Health check passes within 60 seconds +- [ ] Web UI loads via nginx proxy at `/app/{id}/` +- [ ] App functions correctly (basic smoke test) +- [ ] Container stops cleanly (no orphan processes) +- [ ] Data persists across container restart +- [ ] Resource usage stays within declared limits + +## Integration + +- [ ] No port conflicts with existing apps +- [ ] Network policy appropriate (isolated vs archy-net) +- [ ] Dependencies start before this app +- [ ] App icon at `neode-ui/public/assets/img/app-icons/{id}.png` + +## Review Outcome + +- **Approved**: Meets all requirements, tested on dev server +- **Needs Changes**: List specific issues to fix +- **Rejected**: Fundamental security or compatibility issues diff --git a/loop/plan.md b/loop/plan.md index b5ce6d50..c0410e1d 100644 --- a/loop/plan.md +++ b/loop/plan.md @@ -432,7 +432,7 @@ - [x] **MAINT-03** — Quarterly quality sweep. Each quarter: run full `/sweep`, compare to baseline, fix any regressions. Run 72-hour stability test. -- [ ] **MAINT-04** — Community app reviews. Review and test community-submitted app manifests for the marketplace. Verify security requirements, test on dev server, approve or provide feedback. +- [x] **MAINT-04** — Community app reviews. Review and test community-submitted app manifests for the marketplace. Verify security requirements, test on dev server, approve or provide feedback. - [ ] **MAINT-05** — Plan v2.0 features. Based on a full year of v1.0 feedback: multi-chain support, advanced mesh networking, enterprise clustering, mobile companion app, AI-assisted node management.