In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 implementation) which calls the libraries that will communicate with the crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, this is only need on s390 architecture. Signed-off-by: Eduardo Barretto --- sandbox-seccomp-filter.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index ca75cc7..6e7de31 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_exit_group SC_ALLOW(__NR_exit_group), #endif +#if defined(__NR_flock) && defined(__s390__) + SC_ALLOW(__NR_flock), +#endif #ifdef __NR_futex SC_ALLOW(__NR_futex), #endif @@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_gettimeofday SC_ALLOW(__NR_gettimeofday), #endif +#if defined(__NR_ipc) && defined(__s390__) + SC_ALLOW(__NR_ipc), +#endif #ifdef __NR_getuid SC_ALLOW(__NR_getuid), #endif -- 1.9.1 getuid and geteuid are needed when using an openssl engine that calls a crypto card, e.g. ICA (libica). Those syscalls are also needed by the distros for audit code. Signed-off-by: Eduardo Barretto --- sandbox-seccomp-filter.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 6e7de31..e86aa2c 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_getpid SC_ALLOW(__NR_getpid), #endif +#ifdef __NR_getuid + SC_ALLOW(__NR_getuid), +#endif +#ifdef __NR_getuid32 + SC_ALLOW(__NR_getuid32), +#endif +#ifdef __NR_geteuid + SC_ALLOW(__NR_geteuid), +#endif +#ifdef __NR_geteuid32 + SC_ALLOW(__NR_geteuid32), +#endif #ifdef __NR_getrandom SC_ALLOW(__NR_getrandom), #endif -- 1.9.1 1.9.1 diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c --- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100 +++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100 @@ -190,6 +190,9 @@ static const struct sock_filter preauth_ #ifdef __NR_geteuid32 SC_ALLOW(__NR_geteuid32), #endif +#ifdef __NR_gettid + SC_ALLOW(__NR_gettid), +#endif #ifdef __NR_getrandom SC_ALLOW(__NR_getrandom), #endif