From 9864973c693002aa16369913746492251d8f06f3 Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Jul 18 2016 10:26:15 +0000 Subject: Make closefrom() ignore softlinks to the /dev/ devices on s390 --- diff --git a/openssh-7.2p2-s390-closefrom.patch b/openssh-7.2p2-s390-closefrom.patch new file mode 100644 index 0000000..301a523 --- /dev/null +++ b/openssh-7.2p2-s390-closefrom.patch @@ -0,0 +1,52 @@ +Zseries only: Leave the hardware filedescriptors open. + +All filedescriptors above 2 are getting closed when a new +sshd process to handle a new client connection is +spawned. As the process also chroot into an empty filesystem +without any device nodes, there is no chance to reopen the +files. This patch filters out the reqired fds in the +closefrom function so these are skipped in the close loop. + +Author: Harald Freudenberger + +--- + openbsd-compat/bsd-closefrom.c | 26 ++++++++++++++++++++++++++ + 1 file changed, 26 insertions(+) + +--- a/openbsd-compat/bsd-closefrom.c ++++ b/openbsd-compat/bsd-closefrom.c +@@ -82,7 +82,33 @@ closefrom(int lowfd) + fd = strtol(dent->d_name, &endp, 10); + if (dent->d_name != endp && *endp == '\0' && + fd >= 0 && fd < INT_MAX && fd >= lowfd && fd != dirfd(dirp)) ++#ifdef __s390__ ++ { ++ /* ++ * the filedescriptors used to communicate with ++ * the device drivers to provide hardware support ++ * should survive. HF ++ */ ++ char fpath[PATH_MAX], lpath[PATH_MAX]; ++ len = snprintf(fpath, sizeof(fpath), "%s/%s", ++ fdpath, dent->d_name); ++ if (len > 0 && (size_t)len <= sizeof(fpath)) { ++ len = readlink(fpath, lpath, sizeof(lpath)); ++ if (len > 0) { ++ lpath[len] = 0; ++ if (strstr(lpath, "dev/z90crypt") ++ || strstr(lpath, "dev/zcrypt") ++ || strstr(lpath, "dev/prandom") ++ || strstr(lpath, "dev/shm/icastats")) ++ fd = -1; ++ } ++ } ++ if (fd >= 0) ++ (void) close((int) fd); ++ } ++#else + (void) close((int) fd); ++#endif + } + (void) closedir(dirp); + } else + diff --git a/openssh.spec b/openssh.spec index 4394efc..3e6ed54 100644 --- a/openssh.spec +++ b/openssh.spec @@ -236,6 +236,8 @@ Patch936: openssh-7.1p1-iutf8.patch Patch937: openssh-7.2p2-CVE-2015-8325.patch # Regression in certificate based authentication (#1333498) Patch938: openssh-7.2p2-certificats-regress.patch +# make s390 use /dev/ crypto devices -- ignore closefrom +Patch939: openssh-7.2p2-s390-closefrom.patch License: BSD @@ -473,6 +475,7 @@ popd %patch936 -p1 -b .iutf8 %patch937 -p1 -b .pam_uselogin_cve %patch938 -p1 -b .certificates +%patch939 -p1 -b .s390-dev %patch200 -p1 -b .audit %patch201 -p1 -b .audit-race