1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
Description: Configure landlock LSM security sandbox, but disabled by default
Author: Andreas Dolp <dev@andreas-dolp.de>
Forwarded: not-needed
Last-Update: 2025-09-21
--- a/suricata.yaml.in
+++ b/suricata.yaml.in
@@ -1312,8 +1312,8 @@
landlock:
enabled: no
directories:
- #write:
- # - @e_rundir@
+ write:
+ - @e_libdir@
# /usr and /etc folders are added to read list to allow
# file magic to be used.
read:
--- a/configure.ac
+++ b/configure.ac
@@ -2518,6 +2518,7 @@
EXPAND_VARIABLE(datadir, e_datarulesdir, "/suricata/rules")
EXPAND_VARIABLE(localstatedir, e_sghcachedir, "/lib/suricata/cache/sgh")
EXPAND_VARIABLE(localstatedir, e_datadir, "/lib/suricata/data")
+ EXPAND_VARIABLE(localstatedir, e_libdir, "/lib/suricata")
EXPAND_VARIABLE(localstatedir, e_defaultruledir, "/lib/suricata/rules")
e_abs_srcdir=$(cd $srcdir && pwd)
@@ -2534,6 +2535,7 @@
AC_DEFINE_UNQUOTED([SGH_CACHE_DIR],["$e_sghcachedir"],[Directory path for signature group head cache])
AC_SUBST(e_datadir)
AC_DEFINE_UNQUOTED([DATA_DIR],["$e_datadir"],[Our DATA_DIR])
+AC_SUBST(e_libdir)
AC_SUBST(e_magic_file)
AC_SUBST(e_magic_file_comment)
AC_SUBST(e_enable_evelog)
|
