From a9a17c81855e219ae27f94b803a29d74b6facb37 Mon Sep 17 00:00:00 2001 From: Eric Leblond Date: Thu, 4 Aug 2022 22:33:52 +0200 Subject: [PATCH] landlock: handle filestore case If landlock ABI is inferior to 2 (before Linux 5.19) then the renaming of files is impossible if the protection is enabled. This patch disables landlock if ABI < 2 and file-store is enabled. As file store is initialized in output the call to landlock had to done after the output initialization. --- src/suricata.c | 4 ++-- src/util-landlock.c | 11 ++++++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/src/suricata.c b/src/suricata.c index 3f2cdc1051..63dfd572da 100644 --- a/src/suricata.c +++ b/src/suricata.c @@ -2906,8 +2906,6 @@ int SuricataMain(int argc, char **argv) exit(EXIT_FAILURE); } - LandlockSandboxing(&suricata); - SCDropMainThreadCaps(suricata.userid, suricata.groupid); /* Re-enable coredumps after privileges are dropped. */ @@ -2915,6 +2913,8 @@ int SuricataMain(int argc, char **argv) PreRunPostPrivsDropInit(suricata.run_mode); + LandlockSandboxing(&suricata); + PostConfLoadedDetectSetup(&suricata); if (suricata.run_mode == RUNMODE_ENGINE_ANALYSIS) { goto out; diff --git a/src/util-landlock.c b/src/util-landlock.c index cc1fadeac2..b0fa2f087d 100644 --- a/src/util-landlock.c +++ b/src/util-landlock.c @@ -23,8 +23,10 @@ #include "suricata.h" #include "util-conf.h" +#include "util-file.h" #include "util-landlock.h" #include "util-mem.h" +#include "feature.h" #ifndef HAVE_LINUX_LANDLOCK_H @@ -100,7 +102,14 @@ static inline struct landlock_ruleset *LandlockCreateRuleset(void) return NULL; } if (abi < 2) { - ruleset->attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; + if (RequiresFeature(FEATURE_OUTPUT_FILESTORE)) { + SCLogError(SC_ERR_NOT_SUPPORTED, + "Landlock disabled: need Linux 5.19+ for file store support"); + SCFree(ruleset); + return NULL; + } else { + ruleset->attr.handled_access_fs &= ~LANDLOCK_ACCESS_FS_REFER; + } } ruleset->fd = landlock_create_ruleset(&ruleset->attr, sizeof(ruleset->attr), 0); -- 2.47.2