rcolebaugh / rpms / openssh

Forked from rpms/openssh 2 years ago
Clone
3e8b5b
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
3e8b5b
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
3e8b5b
implementation) which calls the libraries that will communicate with the
3e8b5b
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
3e8b5b
this is only need on s390 architecture.
3e8b5b
3e8b5b
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
3e8b5b
---
3e8b5b
 sandbox-seccomp-filter.c | 6 ++++++
3e8b5b
 1 file changed, 6 insertions(+)
3e8b5b
3e8b5b
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
3e8b5b
index ca75cc7..6e7de31 100644
3e8b5b
--- a/sandbox-seccomp-filter.c
3e8b5b
+++ b/sandbox-seccomp-filter.c
3e8b5b
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
3e8b5b
 #ifdef __NR_exit_group
3e8b5b
 	SC_ALLOW(__NR_exit_group),
3e8b5b
 #endif
3e8b5b
+#if defined(__NR_flock) && defined(__s390__)
3e8b5b
+	SC_ALLOW(__NR_flock),
3e8b5b
+#endif
3e8b5b
 #ifdef __NR_futex
3e8b5b
 	SC_ALLOW(__NR_futex),
3e8b5b
 #endif
3e8b5b
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
3e8b5b
 #ifdef __NR_gettimeofday
3e8b5b
 	SC_ALLOW(__NR_gettimeofday),
3e8b5b
 #endif
3e8b5b
+#if defined(__NR_ipc) && defined(__s390__)
3e8b5b
+	SC_ALLOW(__NR_ipc),
3e8b5b
+#endif
3e8b5b
 #ifdef __NR_getuid
3e8b5b
 	SC_ALLOW(__NR_getuid),
3e8b5b
 #endif
3e8b5b
-- 
3e8b5b
1.9.1
3e8b5b
3e8b5b
getuid and geteuid are needed when using an openssl engine that calls a
3e8b5b
crypto card, e.g. ICA (libica).
3e8b5b
Those syscalls are also needed by the distros for audit code.
3e8b5b
3e8b5b
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
3e8b5b
---
3e8b5b
 sandbox-seccomp-filter.c | 12 ++++++++++++
3e8b5b
 1 file changed, 12 insertions(+)
3e8b5b
3e8b5b
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
3e8b5b
index 6e7de31..e86aa2c 100644
3e8b5b
--- a/sandbox-seccomp-filter.c
3e8b5b
+++ b/sandbox-seccomp-filter.c
3e8b5b
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
3e8b5b
 #ifdef __NR_getpid
3e8b5b
 	SC_ALLOW(__NR_getpid),
3e8b5b
 #endif
3e8b5b
+#ifdef __NR_getuid
3e8b5b
+	SC_ALLOW(__NR_getuid),
3e8b5b
+#endif
3e8b5b
+#ifdef __NR_getuid32
3e8b5b
+	SC_ALLOW(__NR_getuid32),
3e8b5b
+#endif
3e8b5b
+#ifdef __NR_geteuid
3e8b5b
+	SC_ALLOW(__NR_geteuid),
3e8b5b
+#endif
3e8b5b
+#ifdef __NR_geteuid32
3e8b5b
+	SC_ALLOW(__NR_geteuid32),
3e8b5b
+#endif
3e8b5b
 #ifdef __NR_getrandom
3e8b5b
 	SC_ALLOW(__NR_getrandom),
3e8b5b
 #endif
3e8b5b
-- 1.9.1
3e8b5b
3e8b5b
The EP11 crypto card needs to make an ioctl call, which receives an
3e8b5b
specific argument. This crypto card is for s390 only.
3e8b5b
3e8b5b
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
3e8b5b
---
3e8b5b
 sandbox-seccomp-filter.c | 2 ++
3e8b5b
 1 file changed, 2 insertions(+)
3e8b5b
3e8b5b
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
3e8b5b
index e86aa2c..98062f1 100644
3e8b5b
--- a/sandbox-seccomp-filter.c
3e8b5b
+++ b/sandbox-seccomp-filter.c
3e8b5b
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
3e8b5b
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
3e8b5b
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
3e8b5b
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
3e8b5b
+	/* Allow ioctls for EP11 crypto card on s390 */
3e8b5b
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
3e8b5b
 #endif
3e8b5b
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
3e8b5b
 	/*
3e8b5b
-- 
3e8b5b
1.9.1
3e8b5b
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
3e8b5b
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
3e8b5b
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
3e8b5b
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
3e8b5b
 #ifdef __NR_geteuid32
3e8b5b
 	SC_ALLOW(__NR_geteuid32),
3e8b5b
 #endif
3e8b5b
+#ifdef __NR_gettid
3e8b5b
+	SC_ALLOW(__NR_gettid),
3e8b5b
+#endif
3e8b5b
 #ifdef __NR_getrandom
3e8b5b
 	SC_ALLOW(__NR_getrandom),
3e8b5b
 #endif
3e8b5b
3e8b5b
3e8b5b
From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001
3e8b5b
From: Harald Freudenberger <freude@linux.ibm.com>
3e8b5b
Date: Fri, 24 May 2019 10:11:15 +0200
3e8b5b
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support
3e8b5b
3e8b5b
Adding another s390 specific ioctl to be able to support ECC hardware acceleration
3e8b5b
to the sandbox seccomp filter rules.
3e8b5b
3e8b5b
Now the ibmca openssl engine provides elliptic curve cryptography support with the
3e8b5b
help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt
3e8b5b
device driver and so there is a need to enable this on the openssl sandbox.
3e8b5b
3e8b5b
Code is s390 specific and has been tested, verified and reviewed.
3e8b5b
3e8b5b
Please note that I am also the originator of the previous changes in that area.
3e8b5b
I posted these changes to Eduardo and he forwarded the patches to the openssl
3e8b5b
community.
3e8b5b
3e8b5b
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
3e8b5b
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
3e8b5b
---
3e8b5b
 sandbox-seccomp-filter.c | 1 +
3e8b5b
 1 file changed, 1 insertion(+)
3e8b5b
3e8b5b
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
3e8b5b
index 5edbc6946..56eb9317f 100644
3e8b5b
--- a/sandbox-seccomp-filter.c
3e8b5b
+++ b/sandbox-seccomp-filter.c
3e8b5b
@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = {
3e8b5b
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
3e8b5b
 	/* Allow ioctls for EP11 crypto card on s390 */
3e8b5b
 	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
3e8b5b
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB),
3e8b5b
 #endif
3e8b5b
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
3e8b5b
 	/*