Fixes: #13645 Tested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b85d7add9..af8aae163 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -8066,7 +8066,7 @@ CONFIG_INTEGRITY=y # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
# # Kernel hardening options diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2bd39e7de..ca603ad93 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6745,7 +6745,7 @@ CONFIG_INTEGRITY=y # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
# # Kernel hardening options diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8ce66cb4f..fa943a2bb 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -7252,7 +7252,7 @@ CONFIG_INTEGRITY=y # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
# # Kernel hardening options
This reverts commit b7da97fd59f010ea8fa7bca845d18e52ca89bc5a. --- config/suricata/suricata.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 041082b04..b57a1d9d4 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -768,7 +768,7 @@ security: limit-noproc: true # Use landlock security module under Linux landlock: - enabled: no + enabled: yes directories: write: - /run
Suricata will complain if it cannot read its own configuration file, hence read-only access to /etc/suricata must be allowed. Since the list applies to directories, rather than files, restricting read access to only /usr/share/misc/magic.mgc is not possible; reading /usr/share/misc must be allowed instead.
Fixes: #13645 Tested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org --- config/suricata/suricata.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index b57a1d9d4..faa1aa71d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -775,7 +775,8 @@ security: # /usr and /etc folders are added to read list to allow # file magic to be used. read: - - /usr/share/misc/magic.mgc + - /etc/suricata + - /usr/share/misc - /usr/share/suricata - /var/ipfire/suricata - /var/lib/suricata