vishalmishra434 / rpms / openssh

Forked from rpms/openssh 3 months ago
Clone
Jakub Jelen 8bcc21
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
Jakub Jelen 8bcc21
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
Jakub Jelen 8bcc21
implementation) which calls the libraries that will communicate with the
Jakub Jelen 8bcc21
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
Jakub Jelen 8bcc21
this is only need on s390 architecture.
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
Jakub Jelen 8bcc21
---
Jakub Jelen 8bcc21
 sandbox-seccomp-filter.c | 6 ++++++
Jakub Jelen 8bcc21
 1 file changed, 6 insertions(+)
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
index ca75cc7..6e7de31 100644
Jakub Jelen 8bcc21
--- a/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
+++ b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen 8bcc21
 #ifdef __NR_exit_group
Jakub Jelen 8bcc21
 	SC_ALLOW(__NR_exit_group),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
+#if defined(__NR_flock) && defined(__s390__)
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_flock),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen bbf61d
 #ifdef __NR_geteuid
Jakub Jelen bbf61d
 	SC_ALLOW(__NR_geteuid),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen 8bcc21
 #ifdef __NR_gettimeofday
Jakub Jelen 8bcc21
 	SC_ALLOW(__NR_gettimeofday),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
+#if defined(__NR_ipc) && defined(__s390__)
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_ipc),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen bbf61d
 #ifdef __NR_getuid
Jakub Jelen bbf61d
 	SC_ALLOW(__NR_getuid),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
-- 
Jakub Jelen 8bcc21
1.9.1
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
getuid and geteuid are needed when using an openssl engine that calls a
Jakub Jelen 8bcc21
crypto card, e.g. ICA (libica).
Jakub Jelen 8bcc21
Those syscalls are also needed by the distros for audit code.
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
Jakub Jelen 8bcc21
---
Jakub Jelen 8bcc21
 sandbox-seccomp-filter.c | 12 ++++++++++++
Jakub Jelen 8bcc21
 1 file changed, 12 insertions(+)
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
index 6e7de31..e86aa2c 100644
Jakub Jelen 8bcc21
--- a/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
+++ b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen 8bcc21
 #ifdef __NR_getpid
Jakub Jelen 8bcc21
 	SC_ALLOW(__NR_getpid),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
+#ifdef __NR_getuid
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_getuid),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen 8bcc21
+#ifdef __NR_getuid32
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_getuid32),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen 8bcc21
+#ifdef __NR_geteuid
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_geteuid),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen 8bcc21
+#ifdef __NR_geteuid32
Jakub Jelen 8bcc21
+	SC_ALLOW(__NR_geteuid32),
Jakub Jelen 8bcc21
+#endif
Jakub Jelen 8bcc21
 #ifdef __NR_getrandom
Jakub Jelen 8bcc21
 	SC_ALLOW(__NR_getrandom),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
-- 1.9.1
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
The EP11 crypto card needs to make an ioctl call, which receives an
Jakub Jelen 8bcc21
specific argument. This crypto card is for s390 only.
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
Jakub Jelen 8bcc21
---
Jakub Jelen 8bcc21
 sandbox-seccomp-filter.c | 2 ++
Jakub Jelen 8bcc21
 1 file changed, 2 insertions(+)
Jakub Jelen 8bcc21
Jakub Jelen 8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
index e86aa2c..98062f1 100644
Jakub Jelen 8bcc21
--- a/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
+++ b/sandbox-seccomp-filter.c
Jakub Jelen 8bcc21
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
Jakub Jelen 8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
Jakub Jelen 8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
Jakub Jelen 8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
Jakub Jelen 8bcc21
+	/* Allow ioctls for EP11 crypto card on s390 */
Jakub Jelen 8bcc21
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
Jakub Jelen 8bcc21
 #endif
Jakub Jelen 8bcc21
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
Jakub Jelen 8bcc21
 	/*
Jakub Jelen 8bcc21
-- 
Jakub Jelen 8bcc21
1.9.1
Jakub Jelen 17cd51
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
Jakub Jelen 17cd51
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
Jakub Jelen 17cd51
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
Jakub Jelen 17cd51
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
Jakub Jelen 17cd51
 #ifdef __NR_geteuid32
Jakub Jelen 17cd51
 	SC_ALLOW(__NR_geteuid32),
Jakub Jelen 17cd51
 #endif
Jakub Jelen 17cd51
+#ifdef __NR_gettid
Jakub Jelen 17cd51
+	SC_ALLOW(__NR_gettid),
Jakub Jelen 17cd51
+#endif
Jakub Jelen 17cd51
 #ifdef __NR_getrandom
Jakub Jelen 17cd51
 	SC_ALLOW(__NR_getrandom),
Jakub Jelen 17cd51
 #endif