Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Lua vendored sandbox/v13 #233

Merged
merged 23 commits into from
May 29, 2024
Merged

Lua vendored sandbox/v13 #233

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
586c92d
lua: require lua 5.4
J0eJ0h Jan 11, 2024
712496b
lua: Remove luajit support
J0eJ0h Jan 12, 2024
d5c6c3a
lua: build lua by default
J0eJ0h Jan 16, 2024
01c8af7
lua: remove internal references to luajit
J0eJ0h Jan 26, 2024
8428b0b
lua: Add lua sandbox for detection rules
J0eJ0h Dec 20, 2023
e946b20
lua: Add config override for lua sandbox limits
J0eJ0h Jan 29, 2024
04adb0c
lua: Add config to allow sandbox bypass
J0eJ0h Feb 5, 2024
ba6a976
doc: Initial doc for lua sandbox
J0eJ0h Feb 5, 2024
1f05a17
lua: misc cleanups in sandbox implementation
jasonish Apr 11, 2024
afb705d
lua: reset instruction counter before calling script
jasonish May 24, 2024
bc011f2
lua: use rust crate to vendor (bundle) lua
jasonish Apr 13, 2024
1fd2c1a
rust/lua: remove lua_int8 feature
jasonish Apr 30, 2024
2e44016
lua: remove lua as a compile time feature
jasonish May 1, 2024
4788d68
github-ci: test make after clean without cbindgen
jasonish Apr 15, 2024
7897043
github-ci/scan-build: exclude rust (lua)
jasonish Apr 15, 2024
9369307
rust/Makefile: cleanup "clean" targets
jasonish Apr 15, 2024
86f9e43
lua: use a function allow list instead of a deny list
jasonish May 23, 2024
c8fa454
lua: add blocked functions as a special log type plus stat
jasonish May 24, 2024
5a1cba7
lua: add logging and counter for instruction limit being exceeded
jasonish May 24, 2024
011f0ba
lua: remove sandbox lib for now
jasonish May 24, 2024
10e6028
lua: track memory limit exceede errors
jasonish May 27, 2024
3eb8c72
doc: update lua sandbox docs for allowed packages/functions
jasonish May 27, 2024
daa6f6f
github-ci: re-add --disable-lua to commit check
jasonish May 28, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 0 additions & 1 deletion .github/workflows/build-centos-7.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down
38 changes: 8 additions & 30 deletions .github/workflows/builds.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -212,7 +212,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down Expand Up @@ -266,7 +265,7 @@ jobs:
CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-warnings
- run: make -j ${{ env.CPUS }} distcheck
env:
DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk"
DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk"
MAKEFLAGS: "-j ${{ env.CPUS }}"
- run: test -e doc/userguide/suricata.1
- name: Checking includes
Expand Down Expand Up @@ -365,7 +364,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down Expand Up @@ -458,7 +456,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down Expand Up @@ -554,7 +551,6 @@ jobs:
autoconf \
automake \
cargo-vendor \
cbindgen \
diffutils \
numactl-devel \
dpdk-devel \
Expand All @@ -564,7 +560,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down Expand Up @@ -614,6 +609,9 @@ jobs:
- run: python3 ./suricata-verify/run.py -q --debug-failed
- run: suricata-update -V
- run: suricatasc -h
# Test build after clean.
- run: make clean
- run: make -j ${{ env.CPUS }}

centos-stream8:
name: CentOS Stream 8
Expand Down Expand Up @@ -654,7 +652,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down Expand Up @@ -744,7 +741,6 @@ jobs:
hiredis-devel \
jansson-devel \
jq \
lua-devel \
libasan \
libtool \
libyaml-devel \
Expand Down Expand Up @@ -841,7 +837,6 @@ jobs:
hiredis-devel \
jansson-devel \
jq \
lua-devel \
libasan \
libtool \
libyaml-devel \
Expand Down Expand Up @@ -877,7 +872,7 @@ jobs:
- run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow" ./configure --disable-shared
- run: make check
- run: make distclean
- run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-warnings --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue --enable-lua
- run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-warnings --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue
env:
LDFLAGS: "-fsanitize=address"
ac_cv_func_realloc_0_nonnull: "yes"
Expand Down Expand Up @@ -939,7 +934,6 @@ jobs:
hiredis-devel \
jansson-devel \
jq \
lua-devel \
libasan \
libtool \
libyaml-devel \
Expand Down Expand Up @@ -1037,7 +1031,6 @@ jobs:
hiredis-devel \
jansson-devel \
jq \
lua-devel \
libasan \
libtool \
libyaml-devel \
Expand Down Expand Up @@ -1068,7 +1061,7 @@ jobs:
- run: tar xf prep/libhtp.tar.gz
- run: tar xf prep/suricata-update.tar.gz
- run: ./autogen.sh
- run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue --enable-lua
- run: CC="clang" CFLAGS="$DEFAULT_CFLAGS -Wshadow -fsanitize=address -fno-omit-frame-pointer" ./configure --enable-debug --enable-unittests --disable-shared --enable-rust-strict --enable-hiredis --enable-nfqueue
env:
LDFLAGS: "-fsanitize=address"
ac_cv_func_realloc_0_nonnull: "yes"
Expand Down Expand Up @@ -1130,7 +1123,6 @@ jobs:
hiredis-devel \
jansson-devel \
jq \
lua-devel \
libasan \
libtool \
libyaml-devel \
Expand Down Expand Up @@ -1215,7 +1207,6 @@ jobs:
hiredis-devel \
jansson-devel \
jq \
lua-devel \
libasan \
libtool \
libyaml-devel \
Expand Down Expand Up @@ -1309,7 +1300,6 @@ jobs:
gcc \
gcc-c++ \
git \
lua-devel \
libasan \
libtool \
libyaml-devel \
Expand Down Expand Up @@ -1380,7 +1370,6 @@ jobs:
libhiredis-dev \
libhyperscan-dev \
libjansson-dev \
liblua5.4-dev \
libmagic-dev \
libnet1-dev \
libnetfilter-queue-dev \
Expand Down Expand Up @@ -1461,7 +1450,6 @@ jobs:
libnuma-dev \
libhiredis-dev \
libhyperscan-dev \
liblua5.1-dev \
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
Expand Down Expand Up @@ -1589,7 +1577,6 @@ jobs:
libnfnetlink0 \
libnuma-dev \
libhiredis-dev \
liblua5.1-dev \
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
Expand Down Expand Up @@ -1704,7 +1691,6 @@ jobs:
libnfnetlink0 \
libnuma-dev \
libhiredis-dev \
liblua5.1-dev \
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
Expand Down Expand Up @@ -1852,7 +1838,6 @@ jobs:
libnfnetlink0 \
libnuma-dev \
libhiredis-dev \
liblua5.1-dev \
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
Expand Down Expand Up @@ -1941,7 +1926,6 @@ jobs:
libnfnetlink0 \
libnuma-dev \
libhiredis-dev \
liblua5.1-dev \
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
Expand Down Expand Up @@ -2042,7 +2026,6 @@ jobs:
libnfnetlink0 \
libnuma-dev \
libhiredis-dev \
liblua5.1-dev \
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
Expand Down Expand Up @@ -2681,7 +2664,6 @@ jobs:
libmaxminddb-dev \
libjansson-dev \
libjansson4 \
liblua5.1-dev \
libnuma-dev \
liblz4-dev \
libssl-dev \
Expand Down Expand Up @@ -2714,7 +2696,7 @@ jobs:
# -j2 caused random failures during cargo vendor
- run: make distcheck
env:
DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk"
DISTCHECK_CONFIGURE_FLAGS: "--enable-unittests --enable-debug --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk"
- run: test -e doc/userguide/suricata.1
- run: test -e doc/userguide/userguide.pdf
- name: Building Rust documentation
Expand Down Expand Up @@ -2850,7 +2832,6 @@ jobs:
libmaxminddb-dev \
libjansson-dev \
libjansson4 \
liblua5.1-dev \
libnuma-dev \
liblz4-dev \
libssl-dev \
Expand Down Expand Up @@ -2888,7 +2869,7 @@ jobs:
- run: tar xf prep/suricata-update.tar.gz
- run: tar xf prep/suricata-verify.tar.gz
- run: ./autogen.sh
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-warnings --enable-unittests --enable-debug --enable-lua --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk
- run: CFLAGS="${DEFAULT_CFLAGS}" ./configure --enable-warnings --enable-unittests --enable-debug --enable-geoip --enable-profiling --enable-profiling-locks --enable-dpdk
- run: make -j ${{ env.CPUS }}
- run: make check
- name: Building Rust documentation
Expand Down Expand Up @@ -2938,7 +2919,6 @@ jobs:
libmagic-dev \
libjansson-dev \
libgeoip-dev \
liblua5.1-dev \
libhiredis-dev \
libevent-dev \
libtool \
Expand Down Expand Up @@ -3021,7 +3001,6 @@ jobs:
libmagic-dev \
libjansson-dev \
libgeoip-dev \
liblua5.1-dev \
libhiredis-dev \
libevent-dev \
libtool \
Expand Down Expand Up @@ -3089,7 +3068,6 @@ jobs:
libtool \
libyaml \
pyyaml \
lua \
pcre2 \
pkg-config \
python \
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/commits.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ jobs:
git checkout $rev
echo "Building rev ${rev}" | tee -a build_log.txt
./autogen.sh >> build_log.txt 2>&1
CC="sccache gcc" ./configure --enable-warnings --enable-unittests >> build_log.txt 2>&1
CC="sccache gcc" ./configure --enable-warnings --enable-unittests --disable-lua >> build_log.txt 2>&1
if ! make -j2 >> build_log.txt 2>&1; then
echo "::error ::Failed to build rev ${rev}"
tail -n 50 build_log.txt
Expand Down
2 changes: 0 additions & 2 deletions .github/workflows/rust-checks.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down Expand Up @@ -141,7 +140,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down
1 change: 0 additions & 1 deletion .github/workflows/rust.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,6 @@ jobs:
git \
jansson-devel \
jq \
lua-devel \
libtool \
libyaml-devel \
libnfnetlink-devel \
Expand Down
3 changes: 1 addition & 2 deletions .github/workflows/scan-build.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@ jobs:
libnuma-dev \
libhiredis-dev \
libhyperscan-dev \
liblua5.1-dev \
libjansson-dev \
libevent-dev \
libevent-pthreads-2.1-7 \
Expand All @@ -79,7 +78,7 @@ jobs:
# disable security.insecureAPI.DeprecatedOrUnsafeBufferHandling explicitly as
# this will require significant effort to address.
- run: |
scan-build-18 --status-bugs --exclude libhtp/ \
scan-build-18 --status-bugs --exclude libhtp/ --exclude rust \
-enable-checker valist.Uninitialized \
-enable-checker valist.CopyToSelf \
-enable-checker valist.Unterminated \
Expand Down
Loading
Loading