This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 464b2117ead41a2c5f5771665f828e74e3e40f82 (commit) via 3358151c85c9c5cecf091da3e612cb0632f9b8c8 (commit) via 5fea15ef764377bfe658e4a50e34eceb30f236dc (commit) from eebce7d9a38e4e62754e1a7fdbd8b8e8c526d12d (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 464b2117ead41a2c5f5771665f828e74e3e40f82 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 22 16:44:00 2024 +0000
suricata.yaml: Fix Landlock path settings
Suricata will complain if it cannot read its own configuration file, hence read-only access to /etc/suricata must be allowed. Since the list applies to directories, rather than files, restricting read access to only /usr/share/misc/magic.mgc is not possible; reading /usr/share/misc must be allowed instead.
Fixes: #13645 Tested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 3358151c85c9c5cecf091da3e612cb0632f9b8c8 Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 22 16:43:00 2024 +0000
Revert "suricata: Disable Landlock support"
This reverts commit b7da97fd59f010ea8fa7bca845d18e52ca89bc5a.
Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
commit 5fea15ef764377bfe658e4a50e34eceb30f236dc Author: Peter Müller peter.mueller@ipfire.org Date: Mon Apr 22 16:43:00 2024 +0000
linux: Properly load Landlock module
Fixes: #13645 Tested-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Peter Müller peter.mueller@ipfire.org Signed-off-by: Arne Fitzenreiter arne_f@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/kernel/kernel.config.aarch64-ipfire | 2 +- config/kernel/kernel.config.riscv64-ipfire | 2 +- config/kernel/kernel.config.x86_64-ipfire | 2 +- config/suricata/suricata.yaml | 5 +++-- 4 files changed, 6 insertions(+), 5 deletions(-)
Difference in files: diff --git a/config/kernel/kernel.config.aarch64-ipfire b/config/kernel/kernel.config.aarch64-ipfire index b85d7add9..af8aae163 100644 --- a/config/kernel/kernel.config.aarch64-ipfire +++ b/config/kernel/kernel.config.aarch64-ipfire @@ -8066,7 +8066,7 @@ CONFIG_INTEGRITY=y # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
# # Kernel hardening options diff --git a/config/kernel/kernel.config.riscv64-ipfire b/config/kernel/kernel.config.riscv64-ipfire index 2bd39e7de..ca603ad93 100644 --- a/config/kernel/kernel.config.riscv64-ipfire +++ b/config/kernel/kernel.config.riscv64-ipfire @@ -6745,7 +6745,7 @@ CONFIG_INTEGRITY=y # CONFIG_IMA is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
# # Kernel hardening options diff --git a/config/kernel/kernel.config.x86_64-ipfire b/config/kernel/kernel.config.x86_64-ipfire index 8ce66cb4f..fa943a2bb 100644 --- a/config/kernel/kernel.config.x86_64-ipfire +++ b/config/kernel/kernel.config.x86_64-ipfire @@ -7252,7 +7252,7 @@ CONFIG_INTEGRITY=y # CONFIG_IMA_SECURE_AND_OR_TRUSTED_BOOT is not set # CONFIG_EVM is not set CONFIG_DEFAULT_SECURITY_DAC=y -CONFIG_LSM="lockdown,yama,loadpin,safesetid,integrity,bpf" +CONFIG_LSM="landlock,lockdown,yama,loadpin,safesetid,integrity,bpf"
# # Kernel hardening options diff --git a/config/suricata/suricata.yaml b/config/suricata/suricata.yaml index 041082b04..faa1aa71d 100644 --- a/config/suricata/suricata.yaml +++ b/config/suricata/suricata.yaml @@ -768,14 +768,15 @@ security: limit-noproc: true # Use landlock security module under Linux landlock: - enabled: no + enabled: yes directories: write: - /run # /usr and /etc folders are added to read list to allow # file magic to be used. read: - - /usr/share/misc/magic.mgc + - /etc/suricata + - /usr/share/misc - /usr/share/suricata - /var/ipfire/suricata - /var/lib/suricata
hooks/post-receive -- IPFire 2.x development tree