diff mbox series

[3/3] suricata.yaml: Fix Landlock path settings

Message ID 323d35e9-a5ea-4967-8e98-9299aebff868@ipfire.org
State Staged
Commit 464b2117ead41a2c5f5771665f828e74e3e40f82
Headers
Series [1/3] linux: Properly load Landlock module |

Commit Message

Peter Müller April 22, 2024, 4:44 p.m. UTC 
  Suricata will complain if it cannot read its own configuration file,
hence read-only access to /etc/suricata must be allowed. Since the list
applies to directories, rather than files, restricting read access to
only /usr/share/misc/magic.mgc is not possible; reading /usr/share/misc
must be allowed instead.

Fixes: #13645
Tested-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 config/suricata/suricata.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index b57a1d9d4..faa1aa71d 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -775,7 +775,8 @@  security:
       # /usr and /etc folders are added to read list to allow
       # file magic to be used.
       read:
-        - /usr/share/misc/magic.mgc
+        - /etc/suricata
+        - /usr/share/misc
         - /usr/share/suricata
         - /var/ipfire/suricata
         - /var/lib/suricata