Feature #6936
open
landlock: enable by default
Added by Victor Julien over 1 year ago.
Updated 3 months ago.
Description
Would like to see landlock be enabled by default where available. I think it could make sense for various parts of the engine to register the paths they indent to use (e.g. /var/run/suricata.socket) with the type of access they need.
It might make sense to allow runmodes or other parts of the engine to disable this. E.g. supporting DPDK seems tricky at this point, so perhaps it should create an exception while we figure out if/how it can be supported.
Related issues
4 (4 open — 0 closed)
- Description updated (diff)
- Related to Bug #6933: dpdk: landlock support added
- Related to Task #6952: ppa: run as a non-root user added
- Blocks Story #7160: deployment: improve secure deployment added
- Related to Bug #5704: Filestore is not working if landlock is enabled added
- Priority changed from Normal to High
- Target version changed from 8.0.0-beta1 to 8.0.0-rc1
- Priority changed from High to Normal
- Target version changed from 8.0.0-rc1 to 9.0.0-beta1
For 8.0.0 will stick to improving docs.
- Blocks deleted (Story #7160: deployment: improve secure deployment)
- Blocks Story #7760: 9.0.0: deployment: improve secure deployment added
Also available in: Atom
PDF