From: Lukas Sismis <lsismis@oisf.net>
Date: Wed, 26 Mar 2025 12:52:29 +0000 (+0700)
Subject: landlock: add read/write permission to MPM cache directory
X-Git-Tag: suricata-8.0.0-beta1~189
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4a20baa6a85a7312dd8d2e706fa637d19a1c213f;p=thirdparty%2Fsuricata.git

landlock: add read/write permission to MPM cache directory
---

diff --git a/src/util-landlock.c b/src/util-landlock.c
index fcc46a0d8f..27c01427f9 100644
--- a/src/util-landlock.c
+++ b/src/util-landlock.c
@@ -22,6 +22,7 @@
  */
 
 #include "suricata.h"
+#include "detect-engine.h"
 #include "feature.h"
 #include "util-conf.h"
 #include "util-file.h"
@@ -201,6 +202,10 @@ void LandlockSandboxing(SCInstance *suri)
         LandlockSandboxingAddRule(ruleset, ConfigGetDataDirectory(),
                 _LANDLOCK_SURI_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_READ);
     }
+    if (DetectEngineMpmCachingEnabled() && stat(DetectEngineMpmCachingGetPath(), &sb) == 0) {
+        LandlockSandboxingAddRule(ruleset, DetectEngineMpmCachingGetPath(),
+                _LANDLOCK_SURI_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_READ);
+    }
     if (suri->run_mode == RUNMODE_PCAP_FILE) {
         const char *pcap_file;
         if (ConfGet("pcap-file.file", &pcap_file) == 1) {