Suricata

Suricata's Landlock sandbox policy currently handles the original filesystem
access rights plus LANDLOCK_ACCESS_FS_REFER, but does not account for newer
Landlock ABI filesystem rights:

- LANDLOCK_ACCESS_FS_TRUNCATE, added in ABI V3 / Linux >= 5.19
- LANDLOCK_ACCESS_FS_IOCTL_DEV, added in ABI V5 / Linux >= 6.10

Because Landlock only mediates rights explicitly included in
handled_access_fs, these newer operations are not mediated by the current
policy on kernels that support them.

Affected area:

- src/util-landlock.c: _LANDLOCK_ACCESS_FS_WRITE
- src/util-landlock.c: _LANDLOCK_SURI_ACCESS_FS_WRITE
- src/util-landlock.c: LandlockCreateRuleset() ABI handling

Suggested implementation:

- Add fallback defines for LANDLOCK_ACCESS_FS_TRUNCATE and
LANDLOCK_ACCESS_FS_IOCTL_DEV for builds with older kernel headers.
- Add LANDLOCK_ACCESS_FS_TRUNCATE to handled_access_fs when ABI >= 3.
- Add LANDLOCK_ACCESS_FS_IOCTL_DEV to handled_access_fs when ABI >= 5.
- Decide whether TRUNCATE should be included in write-path grants to preserve
existing write/truncate behavior.
- Do not grant IOCTL_DEV unless Suricata has a demonstrated need for device
ioctls through allowed filesystem paths.

Full report is attached.

Credits to:

Arnav Tiwari
https://github.com/Arnav1343
Research conducted under fellowship at IIIT Dharwad