If landlock ABI is inferior to 2 (before Linux 5.19) then the
renaming of files is impossible if the protection is enabled. This
patch disables landlock if ABI < 2 and file-store is enabled.
As file store is initialized in output the call to landlock had to
done after the output initialization.
exit(EXIT_FAILURE);
}
- LandlockSandboxing(&suricata);
-
SCDropMainThreadCaps(suricata.userid, suricata.groupid);
/* Re-enable coredumps after privileges are dropped. */
PreRunPostPrivsDropInit(suricata.run_mode);
+ LandlockSandboxing(&suricata);
+
PostConfLoadedDetectSetup(&suricata);
if (suricata.run_mode == RUNMODE_ENGINE_ANALYSIS) {
goto out;
#include "suricata.h"
#include "util-conf.h"
+#include "util-file.h"
#include "util-landlock.h"
#include "util-mem.h"
+#include "feature.h"
#ifndef HAVE_LINUX_LANDLOCK_H
return NULL;
}
if (abi < 2) {
- ruleset->attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
+ if (RequiresFeature(FEATURE_OUTPUT_FILESTORE)) {
+ SCLogError(SC_ERR_NOT_SUPPORTED,
+ "Landlock disabled: need Linux 5.19+ for file store support");
+ SCFree(ruleset);
+ return NULL;
+ } else {
+ ruleset->attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER;
+ }
}
ruleset->fd = landlock_create_ruleset(&ruleset->attr, sizeof(ruleset->attr), 0);
projects / thirdparty / suricata.git / commitdiff
