Blame SOURCES/openssh-7.4p1-sandbox-ibmca.patch

1d31ef
From 5f1596e11d55539678c41f68aed358628d33d86f Mon Sep 17 00:00:00 2001
1d31ef
From: Damien Miller <djm@mindrot.org>
1d31ef
Date: Tue, 14 Mar 2017 13:15:18 +1100
1d31ef
Subject: [PATCH] support ioctls for ICA crypto card on Linux/s390
1d31ef
1d31ef
Based on patch from Eduardo Barretto; ok dtucker@
1d31ef
---
1d31ef
 sandbox-seccomp-filter.c | 6 ++++++
1d31ef
 1 file changed, 6 insertions(+)
1d31ef
1d31ef
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
1d31ef
index af5525a..6ceee33 100644
1d31ef
--- a/sandbox-seccomp-filter.c
1d31ef
+++ b/sandbox-seccomp-filter.c
1d31ef
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
1d31ef
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
1d31ef
 	SC_DENY(socketcall, EACCES),
1d31ef
 #endif
1d31ef
+#if defined(__NR_ioctl) && defined(__s390__)
1d31ef
+	/* Allow ioctls for ICA crypto card on s390 */
1d31ef
+	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
1d31ef
+	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
1d31ef
+	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
1d31ef
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
1d31ef
 
1d31ef
 	/* Default deny */
1d31ef
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
1d31ef
1d31ef
From 9e96b41682aed793fadbea5ccd472f862179fb02 Mon Sep 17 00:00:00 2001
1d31ef
From: Damien Miller <djm@mindrot.org>
1d31ef
Date: Tue, 14 Mar 2017 12:24:47 +1100
1d31ef
Subject: [PATCH] Fix weakness in seccomp-bpf sandbox arg inspection
1d31ef
1d31ef
Syscall arguments are passed via an array of 64-bit values in struct
1d31ef
seccomp_data, but we were only inspecting the bottom 32 bits and not
1d31ef
even those correctly for BE systems.
1d31ef
1d31ef
Fortunately, the only case argument inspection was used was in the
1d31ef
socketcall filtering so using this for sandbox escape seems
1d31ef
impossible.
1d31ef
1d31ef
ok dtucker
1d31ef
---
1d31ef
 sandbox-seccomp-filter.c | 24 ++++++++++++++++++++----
1d31ef
 1 file changed, 20 insertions(+), 4 deletions(-)
1d31ef
1d31ef
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
1d31ef
index 2e1ed2c..af5525a 100644
1d31ef
--- a/sandbox-seccomp-filter.c
1d31ef
+++ b/sandbox-seccomp-filter.c
1d31ef
@@ -73,6 +73,16 @@
1d31ef
 # define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
1d31ef
 #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
1d31ef
 
1d31ef
+#if __BYTE_ORDER == __LITTLE_ENDIAN
1d31ef
+# define ARG_LO_OFFSET  0
1d31ef
+# define ARG_HI_OFFSET  sizeof(uint32_t)
1d31ef
+#elif __BYTE_ORDER == __BIG_ENDIAN
1d31ef
+# define ARG_LO_OFFSET  sizeof(uint32_t)
1d31ef
+# define ARG_HI_OFFSET  0
1d31ef
+#else
1d31ef
+#error "Unknown endianness"
1d31ef
+#endif
1d31ef
+
1d31ef
 /* Simple helpers to avoid manual errors (but larger BPF programs). */
1d31ef
 #define SC_DENY(_nr, _errno) \
1d31ef
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
1d31ef
@@ -81,11 +91,17 @@
1d31ef
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
1d31ef
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
1d31ef
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
1d31ef
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
1d31ef
-	/* load first syscall argument */ \
1d31ef
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
1d31ef
+	/* load and test first syscall argument, low word */ \
1d31ef
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
1d31ef
+	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
1d31ef
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
1d31ef
+	    ((_arg_val) & 0xFFFFFFFF), 0, 3), \
1d31ef
+	/* load and test first syscall argument, high word */ \
1d31ef
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
1d31ef
-	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
1d31ef
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
1d31ef
+	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \
1d31ef
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
1d31ef
+	    (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \
1d31ef
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
1d31ef
 	/* reload syscall number; all rules expect it in accumulator */ \
1d31ef
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
1d31ef
1d31ef
From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
1d31ef
From: Damien Miller <djm@mindrot.org>
1d31ef
Date: Wed, 22 Mar 2017 12:43:02 +1100
1d31ef
Subject: [PATCH] Missing header on Linux/s390
1d31ef
1d31ef
Patch from Jakub Jelen
1d31ef
---
1d31ef
 sandbox-seccomp-filter.c | 3 +++
1d31ef
 1 file changed, 3 insertions(+)
1d31ef
1d31ef
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
1d31ef
index a8d472a..2831e9d 100644
1d31ef
--- a/sandbox-seccomp-filter.c
1d31ef
+++ b/sandbox-seccomp-filter.c
1d31ef
@@ -50,6 +50,9 @@
1d31ef
 #include <elf.h>
1d31ef
 
1d31ef
 #include <asm/unistd.h>
1d31ef
+#ifdef __s390__
1d31ef
+#include <asm/zcrypt.h>
1d31ef
+#endif
1d31ef
 
1d31ef
 #include <errno.h>
1d31ef
 #include <signal.h>
1d31ef
1d31ef
getuid and geteuid are needed when using an openssl engine that calls a
1d31ef
crypto card, e.g. ICA (libica).
1d31ef
Those syscalls are also needed by the distros for audit code.
1d31ef
1d31ef
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
1d31ef
---
1d31ef
 sandbox-seccomp-filter.c | 12 ++++++++++++
1d31ef
 1 file changed, 12 insertions(+)
1d31ef
1d31ef
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
1d31ef
index 6e7de31..e86aa2c 100644
1d31ef
--- a/sandbox-seccomp-filter.c
1d31ef
+++ b/sandbox-seccomp-filter.c
1d31ef
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
1d31ef
 #ifdef __NR_getpid
1d31ef
 	SC_ALLOW(getpid),
1d31ef
 #endif
1d31ef
+#ifdef __NR_getuid
1d31ef
+	SC_ALLOW(getuid),
1d31ef
+#endif
1d31ef
+#ifdef __NR_getuid32
1d31ef
+	SC_ALLOW(getuid32),
1d31ef
+#endif
1d31ef
+#ifdef __NR_geteuid
1d31ef
+	SC_ALLOW(geteuid),
1d31ef
+#endif
1d31ef
+#ifdef __NR_geteuid32
1d31ef
+	SC_ALLOW(geteuid32),
1d31ef
+#endif
1d31ef
 #ifdef __NR_getrandom
1d31ef
 	SC_ALLOW(getrandom),
1d31ef
 #endif
1d31ef
-- 
1d31ef
1.9.1
9a9eba
9a9eba
The EP11 crypto card needs to make an ioctl call, which receives an
9a9eba
specific argument. This crypto card is for s390 only.
9a9eba
9a9eba
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
9a9eba
---
9a9eba
 sandbox-seccomp-filter.c | 2 ++
9a9eba
 1 file changed, 2 insertions(+)
9a9eba
9a9eba
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
9a9eba
index e86aa2c..98062f1 100644
9a9eba
--- a/sandbox-seccomp-filter.c
9a9eba
+++ b/sandbox-seccomp-filter.c
9a9eba
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
9a9eba
 	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
9a9eba
 	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
9a9eba
 	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
9a9eba
+	/* Allow ioctls for EP11 crypto card on s390 */
9a9eba
+	SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
9a9eba
 #endif /* defined(__NR_ioctl) && defined(__s390__) */
9a9eba
 
9a9eba
 	/* Default deny */
9a9eba
--
9a9eba
1.9.1
9a9eba
9a9eba
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
9a9eba
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
9a9eba
implementation) which calls the libraries that will communicate with the
9a9eba
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
9a9eba
this is only need on s390 architecture.
9a9eba
9a9eba
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
9a9eba
---
9a9eba
 sandbox-seccomp-filter.c | 6 ++++++
9a9eba
 1 file changed, 6 insertions(+)
9a9eba
9a9eba
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
9a9eba
index ca75cc7..6e7de31 100644
9a9eba
--- a/sandbox-seccomp-filter.c
9a9eba
+++ b/sandbox-seccomp-filter.c
9a9eba
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
9a9eba
 #ifdef __NR_exit_group
9a9eba
 	SC_ALLOW(exit_group),
9a9eba
 #endif
9a9eba
+#if defined(__NR_flock) && defined(__s390__)
9a9eba
+	SC_ALLOW(flock),
9a9eba
+#endif
9a9eba
 #ifdef __NR_getpgid
9a9eba
 	SC_ALLOW(getpgid),
9a9eba
 #endif
9a9eba
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
9a9eba
 #ifdef __NR_gettimeofday
9a9eba
 	SC_ALLOW(gettimeofday),
9a9eba
 #endif
9a9eba
+#if defined(__NR_ipc) && defined(__s390__)
9a9eba
+	SC_ALLOW(ipc),
9a9eba
+#endif
9a9eba
 #ifdef __NR_madvise
9a9eba
 	SC_ALLOW(madvise),
9a9eba
 #endif
9a9eba
--
9a9eba
1.9.1