12.7. Using Landlock LSM¶
Landlock is a Linux Security Module that has been introduced in Linux 5.13. It allows an application to sandbox itself by selecting access right to directories using a deny by default approach.
Given its nature, Suricata knows where it is going to read files and where it is going to write them. So it is possible to implement an efficient Landlock sandboxing policy.
Landlock is not active by default and needs to be activated in the YAML configuration. Configuration should come with sane default (defined at build time) and the command line options are used to dynamically add some permissions.
Please note that Landlock is in blocking mode by default so careful testing is needed in production.
To enable Landlock, edit the YAML and set
landlock: enabled: yes directories: write: - /var/log/suricata/ - /var/run/ read: - /usr/ - /etc/ - /etc/suricata/
Following your running configuration you may have to add some directories.
There are two lists you can use,
write to add directories where write is needed
read for directories where read access is needed.
Landlock is not active in some distributions and you may need to activate it
at boot by adding
lsm=landock to the Linux command line. For example,
on a Debian distribution with at least a linux 5.13, you can edit
and update the
sudo update-grub and reboot.
You can check at boot if it is running by doing:
sudo dmesg | grep landlock || journalctl -kg landlock
If you are interested in reading more about Landlock, you can use https://docs.kernel.org/userspace-api/landlock.html as entry point.