lua: add "builtins" file to consolidate registration

Use a single array of built-ins and provide 2 functions for registering them: - SCLuaLoadBuiltIn: for loading built-in modules in sandboxed environments. - SCLuaRequirefBuiltIns: registers built-in modules with the standard package tool, allows built-ins to be loaded by output scripts that are not restricted I hope to refactor the sandbox so they can use SCLuaRequirefBuiltIns as well.
1 month ago · d63ad75d91
parent c8b28b1512
commit d63ad75d91
7 changed files with 92 additions and 9 deletions
--- a/src/Makefile.am
+++ b/src/Makefile.am
@ -506,6 +506,7 @@ noinst_HEADERS = \
 	util-landlock.h \
 	util-logopenfile.h \
 	util-log-redis.h \
+	util-lua-builtins.h \
 	util-lua-common.h \
 	util-lua-dataset.h \
 	util-lua-dnp3.h \
@ -1056,6 +1057,7 @@ libsuricata_c_a_SOURCES = \
 	util-logopenfile.c \
 	util-log-redis.c \
 	util-lua.c \
+	util-lua-builtins.c \
 	util-lua-common.c \
 	util-lua-dataset.c \
 	util-lua-dnp3.c \
--- a/src/output-lua.c
+++ b/src/output-lua.c
@ -25,6 +25,7 @@
 #include "suricata-common.h"
 #include "output-lua.h"

+#include "util-lua-builtins.h"
 #include "util-print.h"
 #include "util-unittest.h"
 #include "util-debug.h"
@ -417,6 +418,7 @@ static int LuaScriptInit(const char *filename, LogLuaScriptOptions *options) {
    if (luastate == NULL)
        goto error;
    luaL_openlibs(luastate);
+    SCLuaRequirefBuiltIns(luastate);

    int status = luaL_loadfile(luastate, filename);
    if (status) {
@ -551,6 +553,7 @@ static lua_State *LuaScriptSetup(const char *filename)
    }

    luaL_openlibs(luastate);
+    SCLuaRequirefBuiltIns(luastate);

    int status = luaL_loadfile(luastate, filename);
    if (status) {
--- a/src/util-lua-builtins.c
+++ b/src/util-lua-builtins.c
@ -0,0 +1,55 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include "suricata-common.h"
+#include "util-lua-builtins.h"
+#include "util-lua-hashlib.h"
+#include "util-lua-dataset.h"
+
+#include "lauxlib.h"
+
+static const luaL_Reg builtins[] = {
+    { "suricata.hashlib", SCLuaLoadHashlib },
+    { "suricata.dataset", LuaLoadDatasetLib },
+    { NULL, NULL },
+};
+
+/**
+ * \brief Load a Suricata built-in module in a sand-boxed environment.
+ */
+bool SCLuaLoadBuiltIns(lua_State *L, const char *name)
+{
+    for (const luaL_Reg *lib = builtins; lib->name; lib++) {
+        if (strcmp(name, lib->name) == 0) {
+            lib->func(L);
+            return true;
+        }
+    }
+    return false;
+}
+
+/**
+ * \brief Register Suricata built-in modules for loading in a
+ *     non-sandboxed environment.
+ */
+void SCLuaRequirefBuiltIns(lua_State *L)
+{
+    for (const luaL_Reg *lib = builtins; lib->name; lib++) {
+        luaL_requiref(L, lib->name, lib->func, 0);
+        lua_pop(L, 1);
+    }
+}
--- a/src/util-lua-builtins.h
+++ b/src/util-lua-builtins.h
@ -0,0 +1,26 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef SURICATA_UTIL_LUA_BUILTINS_H
+#define SURICATA_UTIL_LUA_BUILTINS_H
+
+#include "lua.h"
+
+bool SCLuaLoadBuiltIns(lua_State *L, const char *name);
+void SCLuaRequirefBuiltIns(lua_State *L);
+
+#endif /* SURICATA_UTIL_LUA_BUILTINS_H */
--- a/src/util-lua-dataset.c
+++ b/src/util-lua-dataset.c
@ -120,11 +120,13 @@ static const luaL_Reg datasetlib[] = {
 };
 // clang-format on

-void LuaLoadDatasetLib(lua_State *luastate)
+int LuaLoadDatasetLib(lua_State *luastate)
 {
    luaL_newmetatable(luastate, "dataset::metatable");
    lua_pushvalue(luastate, -1);
    lua_setfield(luastate, -2, "__index");
    luaL_setfuncs(luastate, datasetlib, 0);
    luaL_newlib(luastate, datasetlib);
+
+    return 1;
 }
--- a/src/util-lua-dataset.h
+++ b/src/util-lua-dataset.h
@ -20,6 +20,6 @@

 #include "lua.h"

-void LuaLoadDatasetLib(lua_State *luastate);
+int LuaLoadDatasetLib(lua_State *luastate);

 #endif /* SURICATA_UTIL_LUA_DATASET_H */
--- a/src/util-lua-sandbox.c
+++ b/src/util-lua-sandbox.c
@ -30,8 +30,7 @@

 #include "util-debug.h"
 #include "util-lua-sandbox.h"
-#include "util-lua-dataset.h"
-#include "util-lua-hashlib.h"
+#include "util-lua-builtins.h"

 #define SANDBOX_CTX "SANDBOX_CTX"

@ -264,11 +263,7 @@ static int SCLuaSbRequire(lua_State *L)
 {
    const char *module_name = luaL_checkstring(L, 1);

-    if (strcmp(module_name, "suricata.dataset") == 0) {
-        LuaLoadDatasetLib(L);
-        return 1;
-    } else if (strcmp(module_name, "suricata.hashlib") == 0) {
-        SCLuaLoadHashlib(L);
+    if (SCLuaLoadBuiltIns(L, module_name)) {
        return 1;
    }