landlock: add read/write permission to MPM cache directory

author Lukas Sismis <lsismis@oisf.net>

Wed, 26 Mar 2025 12:52:29 +0000 (19:52 +0700)

committer Victor Julien <victor@inliniac.net>

Sat, 29 Mar 2025 05:38:02 +0000 (06:38 +0100)
author Lukas Sismis <lsismis@oisf.net>
Wed, 26 Mar 2025 12:52:29 +0000 (19:52 +0700)
committer Victor Julien <victor@inliniac.net>
Sat, 29 Mar 2025 05:38:02 +0000 (06:38 +0100)
diff --git a/src/util-landlock.c b/src/util-landlock.c

index fcc46a0d8f38afb458dd3c4b96b3aa32cfde3da8..27c01427f96f3390259418bf921c355963c57261 100644 (file)
--- a/src/util-landlock.c
+++ b/src/util-landlock.c
@@ -22,6 +22,7 @@
   */
  
  #include "suricata.h"
+#include "detect-engine.h"
  #include "feature.h"
  #include "util-conf.h"
  #include "util-file.h"
@@ -201,6 +202,10 @@ void LandlockSandboxing(SCInstance *suri)
          LandlockSandboxingAddRule(ruleset, ConfigGetDataDirectory(),
                  _LANDLOCK_SURI_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_READ);
      }
+    if (DetectEngineMpmCachingEnabled() && stat(DetectEngineMpmCachingGetPath(), &sb) == 0) {
+        LandlockSandboxingAddRule(ruleset, DetectEngineMpmCachingGetPath(),
+                _LANDLOCK_SURI_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_READ);
+    }
      if (suri->run_mode == RUNMODE_PCAP_FILE) {
          const char *pcap_file;
          if (ConfGet("pcap-file.file", &pcap_file) == 1) {
author	Lukas Sismis <lsismis@oisf.net>
	Wed, 26 Mar 2025 12:52:29 +0000 (19:52 +0700)
committer	Victor Julien <victor@inliniac.net>
	Sat, 29 Mar 2025 05:38:02 +0000 (06:38 +0100)