kentpeacock / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
b58e57
From 5f1596e11d55539678c41f68aed358628d33d86f Mon Sep 17 00:00:00 2001
b58e57
From: Damien Miller <djm@mindrot.org>
b58e57
Date: Tue, 14 Mar 2017 13:15:18 +1100
b58e57
Subject: [PATCH] support ioctls for ICA crypto card on Linux/s390
b58e57
b58e57
Based on patch from Eduardo Barretto; ok dtucker@
b58e57
---
b58e57
 sandbox-seccomp-filter.c | 6 ++++++
b58e57
 1 file changed, 6 insertions(+)
b58e57
b58e57
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
b58e57
index af5525a..6ceee33 100644
b58e57
--- a/sandbox-seccomp-filter.c
b58e57
+++ b/sandbox-seccomp-filter.c
b58e57
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
b58e57
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
b58e57
 	SC_DENY(socketcall, EACCES),
b58e57
 #endif
b58e57
+#if defined(__NR_ioctl) && defined(__s390__)
b58e57
+	/* Allow ioctls for ICA crypto card on s390 */
b58e57
+	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
b58e57
+	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
b58e57
+	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
b58e57
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
b58e57
 
b58e57
 	/* Default deny */
b58e57
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
b58e57
b58e57
From 9e96b41682aed793fadbea5ccd472f862179fb02 Mon Sep 17 00:00:00 2001
b58e57
From: Damien Miller <djm@mindrot.org>
b58e57
Date: Tue, 14 Mar 2017 12:24:47 +1100
b58e57
Subject: [PATCH] Fix weakness in seccomp-bpf sandbox arg inspection
b58e57
b58e57
Syscall arguments are passed via an array of 64-bit values in struct
b58e57
seccomp_data, but we were only inspecting the bottom 32 bits and not
b58e57
even those correctly for BE systems.
b58e57
b58e57
Fortunately, the only case argument inspection was used was in the
b58e57
socketcall filtering so using this for sandbox escape seems
b58e57
impossible.
b58e57
b58e57
ok dtucker
b58e57
---
b58e57
 sandbox-seccomp-filter.c | 24 ++++++++++++++++++++----
b58e57
 1 file changed, 20 insertions(+), 4 deletions(-)
b58e57
b58e57
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
b58e57
index 2e1ed2c..af5525a 100644
b58e57
--- a/sandbox-seccomp-filter.c
b58e57
+++ b/sandbox-seccomp-filter.c
b58e57
@@ -73,6 +73,16 @@
b58e57
 # define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
b58e57
 #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
b58e57
 
b58e57
+#if __BYTE_ORDER == __LITTLE_ENDIAN
b58e57
+# define ARG_LO_OFFSET  0
b58e57
+# define ARG_HI_OFFSET  sizeof(uint32_t)
b58e57
+#elif __BYTE_ORDER == __BIG_ENDIAN
b58e57
+# define ARG_LO_OFFSET  sizeof(uint32_t)
b58e57
+# define ARG_HI_OFFSET  0
b58e57
+#else
b58e57
+#error "Unknown endianness"
b58e57
+#endif
b58e57
+
b58e57
 /* Simple helpers to avoid manual errors (but larger BPF programs). */
b58e57
 #define SC_DENY(_nr, _errno) \
b58e57
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
b58e57
@@ -81,11 +91,17 @@
b58e57
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
b58e57
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
b58e57
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
b58e57
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
b58e57
-	/* load first syscall argument */ \
b58e57
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
b58e57
+	/* load and test first syscall argument, low word */ \
b58e57
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
b58e57
+	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
b58e57
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
b58e57
+	    ((_arg_val) & 0xFFFFFFFF), 0, 3), \
b58e57
+	/* load and test first syscall argument, high word */ \
b58e57
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
b58e57
-	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
b58e57
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
b58e57
+	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \
b58e57
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
b58e57
+	    (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \
b58e57
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
b58e57
 	/* reload syscall number; all rules expect it in accumulator */ \
b58e57
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
b58e57
b58e57
From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
b58e57
From: Damien Miller <djm@mindrot.org>
b58e57
Date: Wed, 22 Mar 2017 12:43:02 +1100
b58e57
Subject: [PATCH] Missing header on Linux/s390
b58e57
b58e57
Patch from Jakub Jelen
b58e57
---
b58e57
 sandbox-seccomp-filter.c | 3 +++
b58e57
 1 file changed, 3 insertions(+)
b58e57
b58e57
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
b58e57
index a8d472a..2831e9d 100644
b58e57
--- a/sandbox-seccomp-filter.c
b58e57
+++ b/sandbox-seccomp-filter.c
b58e57
@@ -50,6 +50,9 @@
b58e57
 #include <elf.h>
b58e57
 
b58e57
 #include <asm/unistd.h>
b58e57
+#ifdef __s390__
b58e57
+#include <asm/zcrypt.h>
b58e57
+#endif
b58e57
 
b58e57
 #include <errno.h>
b58e57
 #include <signal.h>
b58e57
b58e57
getuid and geteuid are needed when using an openssl engine that calls a
b58e57
crypto card, e.g. ICA (libica).
b58e57
Those syscalls are also needed by the distros for audit code.
b58e57
b58e57
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
b58e57
---
b58e57
 sandbox-seccomp-filter.c | 12 ++++++++++++
b58e57
 1 file changed, 12 insertions(+)
b58e57
b58e57
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
b58e57
index 6e7de31..e86aa2c 100644
b58e57
--- a/sandbox-seccomp-filter.c
b58e57
+++ b/sandbox-seccomp-filter.c
b58e57
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
b58e57
 #ifdef __NR_getpid
b58e57
 	SC_ALLOW(getpid),
b58e57
 #endif
b58e57
+#ifdef __NR_getuid
b58e57
+	SC_ALLOW(getuid),
b58e57
+#endif
b58e57
+#ifdef __NR_getuid32
b58e57
+	SC_ALLOW(getuid32),
b58e57
+#endif
b58e57
+#ifdef __NR_geteuid
b58e57
+	SC_ALLOW(geteuid),
b58e57
+#endif
b58e57
+#ifdef __NR_geteuid32
b58e57
+	SC_ALLOW(geteuid32),
b58e57
+#endif
b58e57
 #ifdef __NR_getrandom
b58e57
 	SC_ALLOW(getrandom),
b58e57
 #endif
b58e57
-- 
b58e57
1.9.1
b58e57
b58e57
The EP11 crypto card needs to make an ioctl call, which receives an
b58e57
specific argument. This crypto card is for s390 only.
b58e57
b58e57
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
b58e57
---
b58e57
 sandbox-seccomp-filter.c | 2 ++
b58e57
 1 file changed, 2 insertions(+)
b58e57
b58e57
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
b58e57
index e86aa2c..98062f1 100644
b58e57
--- a/sandbox-seccomp-filter.c
b58e57
+++ b/sandbox-seccomp-filter.c
b58e57
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
b58e57
 	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
b58e57
 	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
b58e57
 	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
b58e57
+	/* Allow ioctls for EP11 crypto card on s390 */
b58e57
+	SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
b58e57
 #endif /* defined(__NR_ioctl) && defined(__s390__) */
b58e57
 
b58e57
 	/* Default deny */
b58e57
--
b58e57
1.9.1
b58e57
b58e57
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
b58e57
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
b58e57
implementation) which calls the libraries that will communicate with the
b58e57
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
b58e57
this is only need on s390 architecture.
b58e57
b58e57
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
b58e57
---
b58e57
 sandbox-seccomp-filter.c | 6 ++++++
b58e57
 1 file changed, 6 insertions(+)
b58e57
b58e57
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
b58e57
index ca75cc7..6e7de31 100644
b58e57
--- a/sandbox-seccomp-filter.c
b58e57
+++ b/sandbox-seccomp-filter.c
b58e57
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
b58e57
 #ifdef __NR_exit_group
b58e57
 	SC_ALLOW(exit_group),
b58e57
 #endif
b58e57
+#if defined(__NR_flock) && defined(__s390__)
b58e57
+	SC_ALLOW(flock),
b58e57
+#endif
b58e57
 #ifdef __NR_getpgid
b58e57
 	SC_ALLOW(getpgid),
b58e57
 #endif
b58e57
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
b58e57
 #ifdef __NR_gettimeofday
b58e57
 	SC_ALLOW(gettimeofday),
b58e57
 #endif
b58e57
+#if defined(__NR_ipc) && defined(__s390__)
b58e57
+	SC_ALLOW(ipc),
b58e57
+#endif
b58e57
 #ifdef __NR_madvise
b58e57
 	SC_ALLOW(madvise),
b58e57
 #endif
b58e57
--
b58e57
1.9.1