This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 464b2117ead41a2c5f5771665f828e74e3e40f82 (commit)
via 3358151c85c9c5cecf091da3e612cb0632f9b8c8 (commit)
via 5fea15ef764377bfe658e4a50e34eceb30f236dc (commit)
from eebce7d9a38e4e62754e1a7fdbd8b8e8c526d12d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 464b2117ead41a2c5f5771665f828e74e3e40f82
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 22 16:44:00 2024 +0000
suricata.yaml: Fix Landlock path settings
Suricata will complain if it cannot read its own configuration file,
hence read-only access to /etc/suricata must be allowed. Since the list
applies to directories, rather than files, restricting read access to
only /usr/share/misc/magic.mgc is not possible; reading /usr/share/misc
must be allowed instead.
Fixes: #13645
Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 3358151c85c9c5cecf091da3e612cb0632f9b8c8
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 22 16:43:00 2024 +0000
Revert "suricata: Disable Landlock support"
This reverts commit b7da97fd59f010ea8fa7bca845d18e52ca89bc5a.
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
commit 5fea15ef764377bfe658e4a50e34eceb30f236dc
Author: Peter Müller <peter.mueller(a)ipfire.org>
Date: Mon Apr 22 16:43:00 2024 +0000
linux: Properly load Landlock module
Fixes: #13645
Tested-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Peter Müller <peter.mueller(a)ipfire.org>
Signed-off-by: Arne Fitzenreiter <arne_f(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/kernel/kernel.config.aarch64-ipfire | 2 +-
config/kernel/kernel.config.riscv64-ipfire | 2 +-
config/kernel/kernel.config.x86_64-ipfire | 2 +-
config/suricata/suricata.yaml | 5 +++--
4 files changed, 6 insertions(+), 5 deletions(-)
Difference in files:
diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire
index b85d7add9..af8aae163 100644
--- a/config/kernel/kernel.config.aarch64-ipfire
+++ b/config/kernel/kernel.config.aarch64-ipfire
@@ -8066,7 +8066,7 @@ CONFIG_INTEGRITY=y
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
#
# Kernel hardening options
diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire
index 2bd39e7de..ca603ad93 100644
--- a/config/kernel/kernel.config.riscv64-ipfire
+++ b/config/kernel/kernel.config.riscv64-ipfire
@@ -6745,7 +6745,7 @@ CONFIG_INTEGRITY=y
# CONFIG_IMA is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
#
# Kernel hardening options
diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire
index 8ce66cb4f..fa943a2bb 100644
--- a/config/kernel/kernel.config.x86_64-ipfire
+++ b/config/kernel/kernel.config.x86_64-ipfire
@@ -7252,7 +7252,7 @@ CONFIG_INTEGRITY=y
# CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set
# CONFIG_EVM is not set
CONFIG_DEFAULT_SECURITY_DAC=y
-CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf"
+CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
#
# Kernel hardening options
diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml
index 041082b04..faa1aa71d 100644
--- a/config/suricata/suricata.yaml
+++ b/config/suricata/suricata.yaml
@@ -768,14 +768,15 @@ security:
limit-noproc: true
# Use landlock security module under Linux
landlock:
- enabled: no
+ enabled: yes
directories:
write:
- /run
# /usr and /etc folders are added to read list to allow
# file magic to be used.
read:
- - /usr/share/misc/magic.mgc
+ - /etc/suricata
+ - /usr/share/misc
- /usr/share/suricata
- /var/ipfire/suricata
- /var/lib/suricata
hooks/post-receive
--
IPFire 2.x development tree