datasets: flag to disable "write" actions

Add a new configuration flag, "datasets.rules.allow-write" to control
if rules can contain "save" or "state" rules which allow write access
to the file system.

Ticket: #6123

diff --git a/src/detect-dataset.c b/src/detect-dataset.c
index 56bbf2689da7b0ebf195ee0c8742965eec95772f..3d2964605e6e628f6e0b8a18296d5a04473ef65f 100644 (file)
--- a/src/detect-dataset.c
+++ b/src/detect-dataset.c
@@ -303,6 +303,14 @@ static int SetupSavePath(const DetectEngineCtx *de_ctx,
 {
     SCLogDebug("save %s", save);
 
+    int allow_save = 1;
+    if (ConfGetBool("datasets.rules.allow-write", &allow_save)) {
+        if (!allow_save) {
+            SCLogError("Rules containing save/state datasets have been disabled");
+            return -1;
+        }
+    }
+
     int allow_absolute = 0;
     (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute);
     if (allow_absolute) {

diff --git a/suricata.yaml.in b/suricata.yaml.in
index c748f0a564564944605de1a82b8410f69b51db9a..fc7cc3885f1927859a01e852b3986c15e655783f 100644 (file)
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1164,6 +1164,11 @@ asn1-max-frames: 256
 #    # ".." components to reference parent directories in rules that specify
 #    # their filenames.
 #    #allow-absolute-filenames: false
+#
+#    # Allow datasets in rules write access for "save" and
+#    # "state". This is enabled by default, however write access is
+#    # limited to the data directory.
+#    #allow-write: true
 
 ##############################################################################
 ##