vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jakub Jelen 8bcc21
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
Jakub Jelen 8bcc21
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
Jakub Jelen 8bcc21
implementation) which calls the libraries that will communicate with the
Jakub Jelen 8bcc21
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
Jakub Jelen 8bcc21
this is only need on s390 architecture.
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
Jakub Jelen 8bcc21
---
Jakub Jelen 8bcc21
 sandbox-seccomp-filter.c | 6 ++++++
Jakub Jelen 8bcc21
 1 file changed, 6 insertions(+)
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
index ca75cc7..6e7de31 100644
Jakub Jelen 8bcc21
--- a/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
+++ b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen 8bcc21
 #ifdef __NR_exit_group
Jakub Jelen 8bcc21
 	SC_ALLOW(__NR_exit_group),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
+#if defined(__NR_flock) && defined(__s390__)
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_flock),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen eaa7af
 #ifdef __NR_futex
Jakub Jelen eaa7af
 	SC_ALLOW(__NR_futex),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen 8bcc21
 #ifdef __NR_gettimeofday
Jakub Jelen 8bcc21
 	SC_ALLOW(__NR_gettimeofday),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
+#if defined(__NR_ipc) && defined(__s390__)
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_ipc),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen bbf61d
 #ifdef __NR_getuid
Jakub Jelen bbf61d
 	SC_ALLOW(__NR_getuid),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
-- 
Jakub Jelen 8bcc21
1.9.1
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
getuid and geteuid are needed when using an openssl engine that calls a
Jakub Jelen 8bcc21
crypto card, e.g. ICA (libica).
Jakub Jelen 8bcc21
Those syscalls are also needed by the distros for audit code.
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
Jakub Jelen 8bcc21
---
Jakub Jelen 8bcc21
 sandbox-seccomp-filter.c | 12 ++++++++++++
Jakub Jelen 8bcc21
 1 file changed, 12 insertions(+)
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
index 6e7de31..e86aa2c 100644
Jakub Jelen 8bcc21
--- a/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
+++ b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen 8bcc21
 #ifdef __NR_getpid
Jakub Jelen 8bcc21
 	SC_ALLOW(__NR_getpid),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
+#ifdef __NR_getuid
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_getuid),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen 8bcc21
+#ifdef __NR_getuid32
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_getuid32),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen 8bcc21
+#ifdef __NR_geteuid
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_geteuid),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen 8bcc21
+#ifdef __NR_geteuid32
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_geteuid32),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen 8bcc21
 #ifdef __NR_getrandom
Jakub Jelen 8bcc21
 	SC_ALLOW(__NR_getrandom),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
-- 1.9.1
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
The EP11 crypto card needs to make an ioctl call, which receives an
Jakub Jelen 8bcc21
specific argument. This crypto card is for s390 only.
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
Jakub Jelen 8bcc21
---
Jakub Jelen 8bcc21
 sandbox-seccomp-filter.c | 2 ++
Jakub Jelen 8bcc21
 1 file changed, 2 insertions(+)
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
index e86aa2c..98062f1 100644
Jakub Jelen 8bcc21
--- a/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
+++ b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen 8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
Jakub Jelen 8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
Jakub Jelen 8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
Jakub Jelen 8bcc21
+	/* Allow ioctls for EP11 crypto card on s390 */
Jakub Jelen 8bcc21
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
Jakub Jelen 8bcc21
 	/*
Jakub Jelen 8bcc21
-- 
Jakub Jelen 8bcc21
1.9.1
Jakub Jelen 17cd51
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
Jakub Jelen 17cd51
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
Jakub Jelen 17cd51
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
Jakub Jelen 17cd51
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
Jakub Jelen 17cd51
 #ifdef __NR_geteuid32
Jakub Jelen 17cd51
 	SC_ALLOW(__NR_geteuid32),
Jakub Jelen 17cd51
 #endif
Jakub Jelen 17cd51
+#ifdef __NR_gettid
Jakub Jelen 17cd51
+	SC_ALLOW(__NR_gettid),
Jakub Jelen 17cd51
+#endif
Jakub Jelen 17cd51
 #ifdef __NR_getrandom
Jakub Jelen 17cd51
 	SC_ALLOW(__NR_getrandom),
Jakub Jelen 17cd51
 #endif
Jakub Jelen f15fbd
Jakub Jelen f15fbd
Jakub Jelen f15fbd
From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001
Jakub Jelen f15fbd
From: Harald Freudenberger <freude@linux.ibm.com>
Jakub Jelen f15fbd
Date: Fri, 24 May 2019 10:11:15 +0200
Jakub Jelen f15fbd
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support
Jakub Jelen f15fbd
Jakub Jelen f15fbd
Adding another s390 specific ioctl to be able to support ECC hardware acceleration
Jakub Jelen f15fbd
to the sandbox seccomp filter rules.
Jakub Jelen f15fbd
Jakub Jelen f15fbd
Now the ibmca openssl engine provides elliptic curve cryptography support with the
Jakub Jelen f15fbd
help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt
Jakub Jelen f15fbd
device driver and so there is a need to enable this on the openssl sandbox.
Jakub Jelen f15fbd
Jakub Jelen f15fbd
Code is s390 specific and has been tested, verified and reviewed.
Jakub Jelen f15fbd
Jakub Jelen f15fbd
Please note that I am also the originator of the previous changes in that area.
Jakub Jelen f15fbd
I posted these changes to Eduardo and he forwarded the patches to the openssl
Jakub Jelen f15fbd
community.
Jakub Jelen f15fbd
Jakub Jelen f15fbd
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Jakub Jelen f15fbd
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
Jakub Jelen f15fbd
---
Jakub Jelen f15fbd
 sandbox-seccomp-filter.c | 1 +
Jakub Jelen f15fbd
 1 file changed, 1 insertion(+)
Jakub Jelen f15fbd
Jakub Jelen f15fbd
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Jakub Jelen f15fbd
index 5edbc6946..56eb9317f 100644
Jakub Jelen f15fbd
--- a/sandbox-seccomp-filter.c
Jakub Jelen f15fbd
+++ b/sandbox-seccomp-filter.c
Jakub Jelen f15fbd
@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen f15fbd
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
Jakub Jelen f15fbd
 	/* Allow ioctls for EP11 crypto card on s390 */
Jakub Jelen f15fbd
 	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
Jakub Jelen f15fbd
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB),
Jakub Jelen f15fbd
 #endif
Jakub Jelen f15fbd
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
Jakub Jelen f15fbd
 	/*