jonathancammack / rpms / openssh

Forked from rpms/openssh 9 months ago
Clone
9070b3
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
9070b3
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
9070b3
implementation) which calls the libraries that will communicate with the
9070b3
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
9070b3
this is only need on s390 architecture.
9070b3
9070b3
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
9070b3
---
9070b3
 sandbox-seccomp-filter.c | 6 ++++++
9070b3
 1 file changed, 6 insertions(+)
9070b3
9070b3
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
9070b3
index ca75cc7..6e7de31 100644
9070b3
--- a/sandbox-seccomp-filter.c
9070b3
+++ b/sandbox-seccomp-filter.c
9070b3
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
9070b3
 #ifdef __NR_exit_group
9070b3
 	SC_ALLOW(__NR_exit_group),
9070b3
 #endif
9070b3
+#if defined(__NR_flock) && defined(__s390__)
9070b3
+	SC_ALLOW(__NR_flock),
9070b3
+#endif
9070b3
 #ifdef __NR_futex
9070b3
 	SC_ALLOW(__NR_futex),
9070b3
 #endif
9070b3
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
9070b3
 #ifdef __NR_gettimeofday
9070b3
 	SC_ALLOW(__NR_gettimeofday),
9070b3
 #endif
9070b3
+#if defined(__NR_ipc) && defined(__s390__)
9070b3
+	SC_ALLOW(__NR_ipc),
9070b3
+#endif
9070b3
 #ifdef __NR_getuid
9070b3
 	SC_ALLOW(__NR_getuid),
9070b3
 #endif
9070b3
-- 
9070b3
1.9.1
9070b3
9070b3
getuid and geteuid are needed when using an openssl engine that calls a
9070b3
crypto card, e.g. ICA (libica).
9070b3
Those syscalls are also needed by the distros for audit code.
9070b3
9070b3
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
9070b3
---
9070b3
 sandbox-seccomp-filter.c | 12 ++++++++++++
9070b3
 1 file changed, 12 insertions(+)
9070b3
9070b3
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
9070b3
index 6e7de31..e86aa2c 100644
9070b3
--- a/sandbox-seccomp-filter.c
9070b3
+++ b/sandbox-seccomp-filter.c
9070b3
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
9070b3
 #ifdef __NR_getpid
9070b3
 	SC_ALLOW(__NR_getpid),
9070b3
 #endif
9070b3
+#ifdef __NR_getuid
9070b3
+	SC_ALLOW(__NR_getuid),
9070b3
+#endif
9070b3
+#ifdef __NR_getuid32
9070b3
+	SC_ALLOW(__NR_getuid32),
9070b3
+#endif
9070b3
+#ifdef __NR_geteuid
9070b3
+	SC_ALLOW(__NR_geteuid),
9070b3
+#endif
9070b3
+#ifdef __NR_geteuid32
9070b3
+	SC_ALLOW(__NR_geteuid32),
9070b3
+#endif
9070b3
 #ifdef __NR_getrandom
9070b3
 	SC_ALLOW(__NR_getrandom),
9070b3
 #endif
9070b3
-- 1.9.1
9070b3
1.9.1
9070b3
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
9070b3
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
9070b3
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
9070b3
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
9070b3
 #ifdef __NR_geteuid32
9070b3
 	SC_ALLOW(__NR_geteuid32),
9070b3
 #endif
9070b3
+#ifdef __NR_gettid
9070b3
+	SC_ALLOW(__NR_gettid),
9070b3
+#endif
9070b3
 #ifdef __NR_getrandom
9070b3
 	SC_ALLOW(__NR_getrandom),
9070b3
 #endif
9070b3