pledge(2) can be used on OpenBSD to restrict suricata possible
operation on the system once initialization is completed.
The process promises to only make use of:
- "stdio" to allow read(2) on IPS rules and write(2) on log file
- "rpath wpath cpath" to allow log rotation
- "unix" to operate the control unix socket and log unix sockets
- "dns" to retrieve DNS from recvfrom(2)/sento(2) in IPFW mode
- "bpf" as suricata uses libpcap, which uses the BIOCGSTATS operation
Signed-off-by: Emmanuel Roullit <emmanuel.roullit@cognitix.de>
#endif
#endif
+ SCPledge();
SuricataMainLoop(&suricata);
/* Update the engine stage/status flag */
CASE_CODE (SC_ERR_CHANGING_CAPS_FAILED);
CASE_CODE (SC_ERR_LIBCAP_NG_REQUIRED);
CASE_CODE (SC_ERR_LIBNET11_INCOMPATIBLE_WITH_LIBCAP_NG);
+ CASE_CODE (SC_ERR_PLEDGE_FAILED);
CASE_CODE (SC_WARN_FLOW_EMERGENCY);
CASE_CODE (SC_ERR_SVC);
CASE_CODE (SC_ERR_ERF_DAG_OPEN_FAILED);
SC_WARN_RUST_NOT_AVAILABLE,
SC_WARN_DEFAULT_WILL_CHANGE,
SC_WARN_EVE_MISSING_EVENTS,
+ SC_ERR_PLEDGE_FAILED,
SC_ERR_MAX,
} SCError;
return 0;
}
+
+#ifdef __OpenBSD__
+int SCPledge(void)
+{
+ int ret = pledge("stdio rpath wpath cpath unix dns bpf", NULL);
+
+ if (ret != 0) {
+ SCLogError(SC_ERR_PLEDGE_FAILED, "unable to pledge,"
+ " check permissions!! ret=%i errno=%i", ret, errno);
+ exit(EXIT_FAILURE);
+ }
+
+ return 0;
+}
+#endif /* __OpenBSD__ */
#endif /* OS_WIN32 */
int SCGetUserID(const char *, const char *, uint32_t *, uint32_t *);
int SCGetGroupID(const char *, uint32_t *);
+#ifdef __OpenBSD__
+int SCPledge(void);
+#else /* __OpenBSD__ */
+#define SCPledge(...)
+#endif /* __OpenBSD__ */
+
#endif /* _UTIL_PRIVS_H */
projects / thirdparty / suricata.git / commitdiff
