mirrors/meta-security
1
0
Fork 0
mirror of https://git.yoctoproject.org/meta-security synced 2026-05-30 12:30:36 +00:00
Code Issues Projects Releases Wiki Activity

suricata: add PACKAGECONFIG[seccomp] - MemoryDenyWriteExecute

Browse Source 
Add option to prevent memory mappings that are both writable and
executable.

https://www.freedesktop.org/software/systemd/man/255/systemd.exec.html#MemoryDenyWriteExecute=

Core Suricata developer:
https://github.com/jasonish/suricata-rpms/blob/a606a810325dd0a4f3ee45b2756b96bda28e590b/7.0/suricata-4.1.1-service.patch#L23

Fedora:
https://src.fedoraproject.org/rpms/suricata/c/cfb3b996f54d28018cd01f9c6b9ecb77e59f344d

Resolve SELinux AVC denial:
type=PROCTITLE proctitle=/usr/bin/suricata
-c /etc/suricata/suricata.yaml -i eth0

type=SYSCALL arch=aarch64 syscall=mprotect success=no
exit=EACCES(Permission denied) a0=0x7fffa7d04000 a1=0x4000
a2=PROT_READ|PROT_WRITE|PROT_EXEC a3=0x21 items=0 ppid=1 pid=283
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=Suricata-Main
exe=/usr/bin/suricata subj=system_u:system_r:initrc_t:s0 key=(null)

type=AVC avc:  denied  { execmem } for  pid=283 comm=Suricata-Main
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:initrc_t:s0 tclass=process

Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Scott Murray <scott.murray@konsulko.com>
This commit is contained in:
Clayton Casciato
2026-01-10 08:27:36 -07:00
committed by Scott Murray
parent 80e20b6b7a
commit c32a913012
2 changed files with 15 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
recipes-ids/suricata/files/suricata.service
+1
View File
@@ -14,6 +14,7 @@ ExecReload=/bin/kill -HUP $MAINPID
PrivateTmp=yes PrivateTmp=yes
ProtectHome=yes ProtectHome=yes
ProtectSystem=yes ProtectSystem=yes
MemoryDenyWriteExecute=no
[Install] [Install]
WantedBy=multi-user.target WantedBy=multi-user.target
recipes-ids/suricata/suricata_7.0.13.bb
+14 -1
View File
@@ -38,7 +38,15 @@ CARGO_BUILD_FLAGS:append = " --offline"
B = "${S}" B = "${S}"
# nfnetlink has a dependancy to meta-networking # nfnetlink has a dependancy to meta-networking
PACKAGECONFIG ??= "file pcre2 yaml python pcap cap-ng net" PACKAGECONFIG ??= "file \
pcre2 \
yaml \
python \
pcap \
cap-ng \
net \
${@bb.utils.filter('DISTRO_FEATURES', 'seccomp', d)} \
"
PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}" PACKAGECONFIG:append = " ${@bb.utils.contains('DISTRO_FEATURES', 'ptest', 'unittests', '', d)}"
PACKAGECONFIG[pcre2] = "--with-libpcre2-includes=${STAGING_INCDIR} --with-libpcre2-libraries=${STAGING_LIBDIR}, ,libpcre2 ," PACKAGECONFIG[pcre2] = "--with-libpcre2-includes=${STAGING_INCDIR} --with-libpcre2-libraries=${STAGING_LIBDIR}, ,libpcre2 ,"
@@ -51,6 +59,7 @@ PACKAGECONFIG[nfq] = "--enable-nfqueue, --disable-nfqueue,libnetfilter-queue,"
PACKAGECONFIG[file] = ",,file, file" PACKAGECONFIG[file] = ",,file, file"
PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core" PACKAGECONFIG[python] = "--enable-python, --disable-python, python3, python3-core"
PACKAGECONFIG[seccomp] = ""
PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests," PACKAGECONFIG[unittests] = "--enable-unittests, --disable-unittests,"
export logdir = "${localstatedir}/log" export logdir = "${localstatedir}/log"
@@ -115,6 +124,10 @@ do_install () {
-e s:/bin/kill:${base_bindir}/kill:g \ -e s:/bin/kill:${base_bindir}/kill:g \
-e s:/usr/lib:${libdir}:g \ -e s:/usr/lib:${libdir}:g \
${UNPACKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service ${UNPACKDIR}/suricata.service > ${D}${systemd_unitdir}/system/suricata.service
if ${@bb.utils.contains('PACKAGECONFIG', 'seccomp', 'true', 'false', d)}; then
sed -i -e 's/^MemoryDenyWriteExecute=no$/MemoryDenyWriteExecute=yes/' ${D}${systemd_unitdir}/system/suricata.service
fi
fi fi
# Remove /var/run as it is created on startup # Remove /var/run as it is created on startup