doc: Initial doc for lua sandbox

J0eJ0h · Feb 20, 2024 · 2cb2307 · 2cb2307
1 parent c7f600c
commit 2cb2307
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 7 deletions.
diff --git a/.github/workflows/builds.yml b/.github/workflows/builds.yml
@@ -671,9 +671,6 @@ jobs:
           test -e /usr/local/lib/suricata/python/suricata/update/configs/modify.conf
           test -e /usr/local/lib/suricata/python/suricata/update/configs/threshold.in
           test -e /usr/local/lib/suricata/python/suricata/update/configs/update.yaml
-<<<<<<< HEAD
-      - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe
-=======
       - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
         with:
           name: prep
@@ -754,7 +751,6 @@ jobs:
       - run: make clean
       - run: make -j2
       - uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a
->>>>>>> 3687ee2a6 (github-ci: Fix centos7 distcheck using lua 5.1)
         with:
           name: prep
           path: prep

diff --git a/doc/userguide/configuration/suricata-yaml.rst b/doc/userguide/configuration/suricata-yaml.rst
@@ -2774,11 +2774,14 @@ Beyond suricata.yaml, other ways to harden Suricata are
 - compilation : enabling ASLR and other exploit mitigation techniques.
 - environment : running Suricata on a device that has no direct access to Internet.
 
+.. _suricata-yaml-lua-config:
+
 Lua
 ~~~
 
-Suricata 7.0 disables Lua rules by default. Lua rules can be enabled
-in the ``security.lua`` section of the configuration file:
+Suricata 8.0 sandboxes Lua rules by default. The restrictions on the sandbox for Lua rules can be
+modified in the ``security.lua`` section of the configuration file.  Additionally, Lua rules 
+can be completely disabled the same as the Suricata 7.0 default:
 
 ::
 
@@ -2787,3 +2790,12 @@ in the ``security.lua`` section of the configuration file:
        # Allow Lua rules. Disabled by default.
        #allow-rules: false
 
+       # Upper bound of allocations by a Lua rule before it will fail
+       #max-bytes: 500000 
+
+       # Upper bound of lua instructions by a Lua rule before it will fail
+       #max-instructions: 500000
+
+       # Allow dangerous lua operations like external packages and file io
+       #allow-restricted-functions: false
+
diff --git a/doc/userguide/rules/lua-detection.rst b/doc/userguide/rules/lua-detection.rst
@@ -15,7 +15,8 @@ Syntax:
 
 The script filename will be appended to your default rules location.
 
-The script has 2 parts, an init function and a match function. First, the init.
+The script has 2 parts, an init function and a match function. First, the init.  
+Additionally, the script will run in a limited sandbox by default.
 
 Init function
 -------------
@@ -100,5 +101,28 @@ Entire script:
 
   return 0
 
+Sandbox and Available functions
+-------------------------------
+
+By default, the maximum memory and lua instruction count per execution of a detection rule will be limited.  Additionally,
+The following libraries and functions are blocked:
+* package
+* coroutine
+* io
+* os
+* collectgarbage
+* dofile
+* getmetatable
+* loadfile
+* load
+* pcall
+* setmetatable
+* xpcall
+* string.rep
+
+This behavior can be modified via the ``security.lua`` section of :ref:`_suricata-yaml-lua-config`
+
+.. note:: Suricata 8.0 has moved to Lua 5.4 and has builtin support for bitwise and utf8 operations now.
+
 A comprehensive list of existing lua functions -  with examples - can be found at :ref:`lua-functions` (some of them, however,
 work only for the lua-output functionality).