landlock: add read/write permission to MPM cache directory

8 months ago · 4a20baa6a8
parent 7dc65c2f8a
commit 4a20baa6a8
1 changed files with 5 additions and 0 deletions
--- a/src/util-landlock.c
+++ b/src/util-landlock.c
@ -22,6 +22,7 @@
 */

 #include "suricata.h"
+#include "detect-engine.h"
 #include "feature.h"
 #include "util-conf.h"
 #include "util-file.h"
@ -201,6 +202,10 @@ void LandlockSandboxing(SCInstance *suri)
        LandlockSandboxingAddRule(ruleset, ConfigGetDataDirectory(),
                _LANDLOCK_SURI_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_READ);
    }
+    if (DetectEngineMpmCachingEnabled() && stat(DetectEngineMpmCachingGetPath(), &sb) == 0) {
+        LandlockSandboxingAddRule(ruleset, DetectEngineMpmCachingGetPath(),
+                _LANDLOCK_SURI_ACCESS_FS_WRITE | _LANDLOCK_ACCESS_FS_READ);
+    }
    if (suri->run_mode == RUNMODE_PCAP_FILE) {
        const char *pcap_file;
        if (ConfGet("pcap-file.file", &pcap_file) == 1) {