lua: Add config to allow sandbox bypass

diff --git a/src/detect-lua.c b/src/detect-lua.c
index 360b61b20d2cb6e3044d3ea2affa68b5cc755631..78a94a41295388840e4a131efc7d67abf685aad8 100644 (file)
--- a/src/detect-lua.c
+++ b/src/detect-lua.c
@@ -490,7 +490,11 @@ static void *DetectLuaThreadInit(void *data)
         goto error;
     }
 
-    luaL_openlibs(t->luastate);
+    if (lua->allow_restricted_functions) {
+        luaL_openlibs(t->luastate);
+    } else {
+        sb_loadrestricted(t->luastate);
+    }
 
     LuaRegisterExtensions(t->luastate);
 
@@ -589,7 +593,11 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld, const
     lua_State *luastate = sb_newstate(ld->alloc_limit, ld->instruction_limit);
     if (luastate == NULL)
         return -1;
-    luaL_openlibs(luastate); // TODO: get sandbox config and load appropriate libs
+    if (ld->allow_restricted_functions) {
+        luaL_openlibs(luastate);
+    } else {
+        sb_loadrestricted(luastate);
+    }
 
     /* hackish, needed to allow unittests to pass buffers as scripts instead of files */
 #ifdef UNITTESTS
@@ -911,6 +919,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st
     lua->alloc_limit = lua_alloc_limit;
     lua->instruction_limit = lua_instruction_limit;
 
+    int allow_restricted_functions = 0;
+    (void)ConfGetBool("security.lua.allow-restricted-functions", &allow_restricted_functions);
+    lua->allow_restricted_functions = allow_restricted_functions;
+
     if (DetectLuaSetupPrime(de_ctx, lua, s) == -1) {
         goto error;
     }

diff --git a/src/detect-lua.h b/src/detect-lua.h
index 5ec3c010229f72f1d79913ca33baf432ab9512fd..34762b2901c96f7a9d7c030a3606dec28e4ab389 100644 (file)
--- a/src/detect-lua.h
+++ b/src/detect-lua.h
@@ -57,6 +57,7 @@ typedef struct DetectLuaData {
     uint32_t gid;
     uint64_t alloc_limit;
     uint64_t instruction_limit;
+    int allow_restricted_functions;
 } DetectLuaData;
 
 #endif /* HAVE_LUA */