[PATCH 1/3] linux: Properly load Landlock module

[PATCH 1/3] linux: Properly load Landlock module

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1996 bytes --]

Fixes: #13645
Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/kernel/kernel.config.aarch64-ipfire | 2 +-
 config/kernel/kernel.config.riscv64-ipfire | 2 +-
 config/kernel/kernel.config.x86_64-ipfire  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b85d7add9..af8aae163 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8066,7 +8066,7 @@ CONFIG_INTEGRITY=y
 # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
 
 #
 # Kernel hardening options
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 2bd39e7de..ca603ad93 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6745,7 +6745,7 @@ CONFIG_INTEGRITY=y
 # CONFIG_IMA is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
 
 #
 # Kernel hardening options
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 8ce66cb4f..fa943a2bb 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7252,7 +7252,7 @@ CONFIG_INTEGRITY=y
 # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
 # CONFIG_EVM is not set
 CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
 
 #
 # Kernel hardening options
-- 
2.35.3

[PATCH 2/3] Revert "suricata: Disable Landlock support"

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 538 bytes --]

This reverts commit b7da97fd59f010ea8fa7bca845d18e52ca89bc5a.
---
 config/suricata/suricata.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 041082b04..b57a1d9d4 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -768,7 +768,7 @@ security:
   limit-noproc: true
   # Use landlock security module under Linux
   landlock:
-    enabled: no
+    enabled: yes
     directories:
       write:
         - /run
-- 
2.35.3

[PATCH 3/3] suricata.yaml: Fix Landlock path settings

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 1038 bytes --]

Suricata will complain if it cannot read its own configuration file,
hence read-only access to /etc/suricata must be allowed. Since the list
applies to directories, rather than files, restricting read access to
only /usr/share/misc/magic.mgc is not possible; reading /usr/share/misc
must be allowed instead.

Fixes: #13645
Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
---
 config/suricata/suricata.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index b57a1d9d4..faa1aa71d 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -775,7 +775,8 @@ security:
       # /usr and /etc folders are added to read list to allow
       # file magic to be used.
       read:
-        - /usr/share/misc/magic.mgc
+        - /etc/suricata
+        - /usr/share/misc
         - /usr/share/suricata
         - /var/ipfire/suricata
         - /var/lib/suricata
-- 
2.35.3