From: Jason Ish <jason.ish@oisf.net>
Date: Tue, 6 Jun 2023 22:04:56 +0000 (-0600)
Subject: datasets: flag to disable "write" actions
X-Git-Tag: suricata-7.0.0-rc2~3
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=93b64939d19512f4a5191e491c363aa83faf015b;p=thirdparty%2Fsuricata.git

datasets: flag to disable "write" actions

Add a new configuration flag, "datasets.rules.allow-write" to control
if rules can contain "save" or "state" rules which allow write access
to the file system.

Ticket: #6123
---

diff --git a/src/detect-dataset.c b/src/detect-dataset.c
index 56bbf2689d..3d2964605e 100644
--- a/src/detect-dataset.c
+++ b/src/detect-dataset.c
@@ -303,6 +303,14 @@ static int SetupSavePath(const DetectEngineCtx *de_ctx,
 {
     SCLogDebug("save %s", save);
 
+    int allow_save = 1;
+    if (ConfGetBool("datasets.rules.allow-write", &allow_save)) {
+        if (!allow_save) {
+            SCLogError("Rules containing save/state datasets have been disabled");
+            return -1;
+        }
+    }
+
     int allow_absolute = 0;
     (void)ConfGetBool("datasets.rules.allow-absolute-filenames", &allow_absolute);
     if (allow_absolute) {
diff --git a/suricata.yaml.in b/suricata.yaml.in
index c748f0a564..fc7cc3885f 100644
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1164,6 +1164,11 @@ asn1-max-frames: 256
 #    # ".." components to reference parent directories in rules that specify
 #    # their filenames.
 #    #allow-absolute-filenames: false
+#
+#    # Allow datasets in rules write access for "save" and
+#    # "state". This is enabled by default, however write access is
+#    # limited to the data directory.
+#    #allow-write: true
 
 ##############################################################################
 ##