suricata: Enable landlock security feature

This will limit the suricata process to only read and write to a certain
files/directories.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 165a2442d22b060fb60ec90eab36a5bb0cc8dc4d..dd6a42e915eda042efc34186812f36602d5ebb25 100644 (file)
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -768,16 +768,16 @@ security:
   limit-noproc: true
   # Use landlock security module under Linux
   landlock:
-    enabled: no
+    enabled: yes
     directories:
-      #write:
-      #  - @e_rundir@
+      write:
+        - /run
       # /usr and /etc folders are added to read list to allow
       # file magic to be used.
       read:
-        - /usr/
-        - /etc/
-        - @e_sysconfdir@
+        - /usr/share/misc/magic.mgc
+        - /var/ipfire/suricata/
+        - /var/lib/suricata/rules/
 
   lua:
     # Allow Lua rules. Disabled by default.