Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Landlock v1.4 #7829

Closed
wants to merge 3 commits into from
Closed

Landlock v1.4 #7829

wants to merge 3 commits into from

Conversation

regit
Copy link
Contributor

@regit regit commented Sep 5, 2022

Replace #7697

Link to redmine ticket: https://redmine.openinfosecfoundation.org/issues/5479

Describe changes:

  • rebase code
  • change config by setting it under security
  • fix formatting
  • address comments on logging and formatting

@codecov
Copy link

codecov bot commented Sep 5, 2022
edited

Codecov Report

Merging #7829 (4dbc607) into master (bb2e111) will decrease coverage by 0.10%.
The diff coverage is 100.00%.

❗ Current head 4dbc607 differs from pull request most recent head db0f4ac. Consider uploading reports for the commit db0f4ac to get more accurate results

@@            Coverage Diff             @@
##           master    #7829      +/-   ##
==========================================
- Coverage   76.10%   75.99%   -0.11%     
==========================================
  Files         663      664       +1     
  Lines      185889   185890       +1     
==========================================
- Hits       141467   141275     -192     
- Misses      44422    44615     +193
Flag Coverage Δ
fuzzcorpus 60.83% <0.00%> (-0.19%) ⬇️
suricata-verify 52.48% <100.00%> (-0.11%) ⬇️
unittests 60.70% <0.00%> (+<0.01%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

@regit
landlock: basic implementation
206c86d 
This patch is adding support for Landlock, a Linux
Security Module available since Linux 5.13.

The concept is to prevent any file operation on directories where
Suricata is not supposed to access.

Landlock support is built by default if the header is present. The
feature is disabled by default and need to be activated in the YAML
to be active.

Landlock documentation: https://docs.kernel.org/userspace-api/landlock.html

Feature: OISF#5479
@regit
doc: document landlock feature
1c25331
@regit
landlock: handle filestore case
db0f4ac 
If landlock ABI is inferior to 2 (before Linux 5.19) then the
renaming of files is impossible if the protection is enabled. This
patch disables landlock if ABI < 2 and file-store is enabled.

As file store is initialized in output the call to landlock had to
done after the output initialization.
@suricata-qa
Copy link

WARNING:

field baseline test %
tlpw1_stats_chk
.tcp.rst 103033 126139 122.43%

Pipeline 9018

@suricata-qa
Copy link

Information: QA ran without warnings.

Pipeline 9023

jufajardini
jufajardini reviewed Sep 8, 2022
View reviewed changes
Copy link
Contributor

@jufajardini jufajardini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Docs still looking good to me :P

victorjulien
victorjulien reviewed Sep 9, 2022
View reviewed changes
suricata.yaml.in
@@ -1097,6 +1097,22 @@ asn1-max-frames: 256
# user: suri
# group: suri

security:
# Limit processus creation by Suricata (default: yes)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#7458 isn't merged yet.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed up in #7853

@victorjulien victorjulien mentioned this pull request Sep 13, 2022
Merged
@victorjulien
Copy link
Member

Merged in #7853, thanks a lot for this work Eric!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jufajardini jufajardini jufajardini left review comments

@victorjulien victorjulien victorjulien left review comments

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
4 participants
@regit @suricata-qa @victorjulien @jufajardini