From: Jo Johnson Date: Mon, 5 Feb 2024 20:03:59 +0000 (-0800) Subject: lua: Add config to allow sandbox bypass X-Git-Tag: suricata-8.0.0-beta1~1263 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04adb0c0f65caf8f992c0f6eeb39aaf5d0c47e20;p=thirdparty%2Fsuricata.git lua: Add config to allow sandbox bypass --- diff --git a/src/detect-lua.c b/src/detect-lua.c index 360b61b20d..78a94a4129 100644 --- a/src/detect-lua.c +++ b/src/detect-lua.c @@ -490,7 +490,11 @@ static void *DetectLuaThreadInit(void *data) goto error; } - luaL_openlibs(t->luastate); + if (lua->allow_restricted_functions) { + luaL_openlibs(t->luastate); + } else { + sb_loadrestricted(t->luastate); + } LuaRegisterExtensions(t->luastate); @@ -589,7 +593,11 @@ static int DetectLuaSetupPrime(DetectEngineCtx *de_ctx, DetectLuaData *ld, const lua_State *luastate = sb_newstate(ld->alloc_limit, ld->instruction_limit); if (luastate == NULL) return -1; - luaL_openlibs(luastate); // TODO: get sandbox config and load appropriate libs + if (ld->allow_restricted_functions) { + luaL_openlibs(luastate); + } else { + sb_loadrestricted(luastate); + } /* hackish, needed to allow unittests to pass buffers as scripts instead of files */ #ifdef UNITTESTS @@ -911,6 +919,10 @@ static int DetectLuaSetup (DetectEngineCtx *de_ctx, Signature *s, const char *st lua->alloc_limit = lua_alloc_limit; lua->instruction_limit = lua_instruction_limit; + int allow_restricted_functions = 0; + (void)ConfGetBool("security.lua.allow-restricted-functions", &allow_restricted_functions); + lua->allow_restricted_functions = allow_restricted_functions; + if (DetectLuaSetupPrime(de_ctx, lua, s) == -1) { goto error; } diff --git a/src/detect-lua.h b/src/detect-lua.h index 5ec3c01022..34762b2901 100644 --- a/src/detect-lua.h +++ b/src/detect-lua.h @@ -57,6 +57,7 @@ typedef struct DetectLuaData { uint32_t gid; uint64_t alloc_limit; uint64_t instruction_limit; + int allow_restricted_functions; } DetectLuaData; #endif /* HAVE_LUA */