From 2c7eb3c755ef475e082a59645ba2e98c3abcddd0 Mon Sep 17 00:00:00 2001
From: m0duspwnens <josh.patterson@securityonionsolutions.com>
Date: Thu, 25 Apr 2024 10:05:59 -0400
Subject: [PATCH] only apply ulimits to suricata container if user enable
 mmap-locked

---
 salt/suricata/enabled.sls | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/salt/suricata/enabled.sls b/salt/suricata/enabled.sls
index 8520187d0..3e015d100 100644
--- a/salt/suricata/enabled.sls
+++ b/salt/suricata/enabled.sls
@@ -7,6 +7,7 @@
 {% if sls.split('.')[0] in allowed_states %}
 {%   from 'vars/globals.map.jinja' import GLOBALS %}
 {%   from 'docker/docker.map.jinja' import DOCKER %}
+{%   from 'suricata/map.jinja' import SURICATAMERGED %}
 
 
 include:
@@ -24,7 +25,8 @@ so-suricata:
       - {{ XTRAENV }}
         {% endfor %}
       {% endif %}
-    {% if DOCKER.containers['so-suricata'].ulimits %}
+    {# we look at SURICATAMERGED.config['af-packet'][0] since we only allow one interface and therefore always the first list item #}
+    {% if SURICATAMERGED.config['af-packet'][0]['mmap-locked'] == "yes" and DOCKER.containers['so-suricata'].ulimits %}
     - ulimits:
     {%   for ULIMIT in DOCKER.containers['so-suricata'].ulimits %}
       - {{ ULIMIT }}