lua: add "builtins" file to consolidate registration

Use a single array of built-ins and provide 2 functions for registering them: - SCLuaLoadBuiltIn: for loading built-in modules in sandboxed environments. - SCLuaRequirefBuiltIns: registers built-in modules with the standard package tool, allows built-ins to be loaded by output scripts that are not restricted I hope to refactor the sandbox so they can use SCLuaRequirefBuiltIns as well.
OISF · Jan 23, 2025 · d63ad75 · d63ad75
1 parent c8b28b1
commit d63ad75
Show file tree

Hide file tree

Showing 7 changed files with 92 additions and 9 deletions.
diff --git a/src/Makefile.am b/src/Makefile.am
@@ -506,6 +506,7 @@ noinst_HEADERS = \
 	util-landlock.h \
 	util-logopenfile.h \
 	util-log-redis.h \
+	util-lua-builtins.h \
 	util-lua-common.h \
 	util-lua-dataset.h \
 	util-lua-dnp3.h \
@@ -1056,6 +1057,7 @@ libsuricata_c_a_SOURCES = \
 	util-logopenfile.c \
 	util-log-redis.c \
 	util-lua.c \
+	util-lua-builtins.c \
 	util-lua-common.c \
 	util-lua-dataset.c \
 	util-lua-dnp3.c \

diff --git a/src/output-lua.c b/src/output-lua.c
@@ -25,6 +25,7 @@
 #include "suricata-common.h"
 #include "output-lua.h"
 
+#include "util-lua-builtins.h"
 #include "util-print.h"
 #include "util-unittest.h"
 #include "util-debug.h"
@@ -417,6 +418,7 @@ static int LuaScriptInit(const char *filename, LogLuaScriptOptions *options) {
     if (luastate == NULL)
         goto error;
     luaL_openlibs(luastate);
+    SCLuaRequirefBuiltIns(luastate);
 
     int status = luaL_loadfile(luastate, filename);
     if (status) {
@@ -551,6 +553,7 @@ static lua_State *LuaScriptSetup(const char *filename)
     }
 
     luaL_openlibs(luastate);
+    SCLuaRequirefBuiltIns(luastate);
 
     int status = luaL_loadfile(luastate, filename);
     if (status) {

diff --git a/src/util-lua-builtins.c b/src/util-lua-builtins.c
@@ -0,0 +1,55 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#include "suricata-common.h"
+#include "util-lua-builtins.h"
+#include "util-lua-hashlib.h"
+#include "util-lua-dataset.h"
+
+#include "lauxlib.h"
+
+static const luaL_Reg builtins[] = {
+    { "suricata.hashlib", SCLuaLoadHashlib },
+    { "suricata.dataset", LuaLoadDatasetLib },
+    { NULL, NULL },
+};
+
+/**
+ * \brief Load a Suricata built-in module in a sand-boxed environment.
+ */
+bool SCLuaLoadBuiltIns(lua_State *L, const char *name)
+{
+    for (const luaL_Reg *lib = builtins; lib->name; lib++) {
+        if (strcmp(name, lib->name) == 0) {
+            lib->func(L);
+            return true;
+        }
+    }
+    return false;
+}
+
+/**
+ * \brief Register Suricata built-in modules for loading in a
+ *     non-sandboxed environment.
+ */
+void SCLuaRequirefBuiltIns(lua_State *L)
+{
+    for (const luaL_Reg *lib = builtins; lib->name; lib++) {
+        luaL_requiref(L, lib->name, lib->func, 0);
+        lua_pop(L, 1);
+    }
+}
diff --git a/src/util-lua-builtins.h b/src/util-lua-builtins.h
@@ -0,0 +1,26 @@
+/* Copyright (C) 2025 Open Information Security Foundation
+ *
+ * You can copy, redistribute or modify this Program under the terms of
+ * the GNU General Public License version 2 as published by the Free
+ * Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * version 2 along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
+ * 02110-1301, USA.
+ */
+
+#ifndef SURICATA_UTIL_LUA_BUILTINS_H
+#define SURICATA_UTIL_LUA_BUILTINS_H
+
+#include "lua.h"
+
+bool SCLuaLoadBuiltIns(lua_State *L, const char *name);
+void SCLuaRequirefBuiltIns(lua_State *L);
+
+#endif /* SURICATA_UTIL_LUA_BUILTINS_H */
diff --git a/src/util-lua-dataset.c b/src/util-lua-dataset.c
@@ -120,11 +120,13 @@ static const luaL_Reg datasetlib[] = {
 };
 // clang-format on
 
-void LuaLoadDatasetLib(lua_State *luastate)
+int LuaLoadDatasetLib(lua_State *luastate)
 {
     luaL_newmetatable(luastate, "dataset::metatable");
     lua_pushvalue(luastate, -1);
     lua_setfield(luastate, -2, "__index");
     luaL_setfuncs(luastate, datasetlib, 0);
     luaL_newlib(luastate, datasetlib);
+
+    return 1;
 }
diff --git a/src/util-lua-dataset.h b/src/util-lua-dataset.h
@@ -20,6 +20,6 @@
 
 #include "lua.h"
 
-void LuaLoadDatasetLib(lua_State *luastate);
+int LuaLoadDatasetLib(lua_State *luastate);
 
 #endif /* SURICATA_UTIL_LUA_DATASET_H */
diff --git a/src/util-lua-sandbox.c b/src/util-lua-sandbox.c
@@ -30,8 +30,7 @@
 
 #include "util-debug.h"
 #include "util-lua-sandbox.h"
-#include "util-lua-dataset.h"
-#include "util-lua-hashlib.h"
+#include "util-lua-builtins.h"
 
 #define SANDBOX_CTX "SANDBOX_CTX"
 
@@ -264,11 +263,7 @@ static int SCLuaSbRequire(lua_State *L)
 {
     const char *module_name = luaL_checkstring(L, 1);
 
-    if (strcmp(module_name, "suricata.dataset") == 0) {
-        LuaLoadDatasetLib(L);
-        return 1;
-    } else if (strcmp(module_name, "suricata.hashlib") == 0) {
-        SCLuaLoadHashlib(L);
+    if (SCLuaLoadBuiltIns(L, module_name)) {
         return 1;
     }