Project

General

Profile

Actions
Copy link

Bug #7541

open

`run-as` config option in Suricata remove capabilities needed for loading `ebpf` programs

Added by Amir Boussejra 9 months ago. Updated 4 months ago.

Status:
New
Priority:
Normal
Assignee:
OISF Dev
Target version:
TBD
Affected Versions:
8.0.0
Effort:
Difficulty:
low
Label:

Description

While using `suricata` (version 7.0.8) with `ebpf` in a `lxc` container and running it with a config

```yaml
run-as:
user: XXX
group: XXX
```

We realised using `strace` some suricata code was dropping linux capabilities. On further investigation, we realised it was function `SCDropMainThreadCaps` drops capabilities if `sc_set_caps TRUE`, this is TRUE if this we enter here:

```
if (ConfGet("run-as.user", &id) 1) {
suri->do_setuid = TRUE;
suri->user_name = id;
}
if (ConfGet("run-as.group", &id) == 1) {
suri->do_setgid = TRUE;
suri->group_name = id;
}
```

I think there is a missing clause in `SCDropMainThreadCaps` to check if `suricata.yaml` uses XDP/eBPF to do something like the diff I linked.

I think a good fix (not what I did) would be adding capabilities iff we have `xdp-filter-file` or `ebpf-filter-file` on.

Files

clipboard-202502030938-6sk21.png (38.2 KB) clipboard-202502030938-6sk21.png Amir Boussejra, 02/03/2025 08:38 AM

Related issues 1 (1 open0 closed)

Related to Suricata-Update - Bug #6241: Suricata test-mode can fail when user and group provided with run-as.NewJason IshActions
Actions
Copy link
 #1

Updated by Jason Ish 5 months ago

  • Related to Bug #6241: Suricata test-mode can fail when user and group provided with run-as. added
Actions
Copy link
 #2

Updated by Philippe Antoine 4 months ago

  • Affected Versions 8.0.0 added
  • Affected Versions deleted (7.0.8)
Actions
Copy link

Also available in: Atom PDF