Blame SOURCES/openssh-7.4p1-sandbox-ibmca.patch

8f2528
From 5f1596e11d55539678c41f68aed358628d33d86f Mon Sep 17 00:00:00 2001
8f2528
From: Damien Miller <djm@mindrot.org>
8f2528
Date: Tue, 14 Mar 2017 13:15:18 +1100
8f2528
Subject: [PATCH] support ioctls for ICA crypto card on Linux/s390
8f2528
8f2528
Based on patch from Eduardo Barretto; ok dtucker@
8f2528
---
8f2528
 sandbox-seccomp-filter.c | 6 ++++++
8f2528
 1 file changed, 6 insertions(+)
8f2528
8f2528
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8f2528
index af5525a..6ceee33 100644
8f2528
--- a/sandbox-seccomp-filter.c
8f2528
+++ b/sandbox-seccomp-filter.c
8f2528
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
8f2528
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
8f2528
 	SC_DENY(socketcall, EACCES),
8f2528
 #endif
8f2528
+#if defined(__NR_ioctl) && defined(__s390__)
8f2528
+	/* Allow ioctls for ICA crypto card on s390 */
8f2528
+	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
8f2528
+	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
8f2528
+	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
8f2528
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
8f2528
 
8f2528
 	/* Default deny */
8f2528
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
8f2528
8f2528
From 9e96b41682aed793fadbea5ccd472f862179fb02 Mon Sep 17 00:00:00 2001
8f2528
From: Damien Miller <djm@mindrot.org>
8f2528
Date: Tue, 14 Mar 2017 12:24:47 +1100
8f2528
Subject: [PATCH] Fix weakness in seccomp-bpf sandbox arg inspection
8f2528
8f2528
Syscall arguments are passed via an array of 64-bit values in struct
8f2528
seccomp_data, but we were only inspecting the bottom 32 bits and not
8f2528
even those correctly for BE systems.
8f2528
8f2528
Fortunately, the only case argument inspection was used was in the
8f2528
socketcall filtering so using this for sandbox escape seems
8f2528
impossible.
8f2528
8f2528
ok dtucker
8f2528
---
8f2528
 sandbox-seccomp-filter.c | 24 ++++++++++++++++++++----
8f2528
 1 file changed, 20 insertions(+), 4 deletions(-)
8f2528
8f2528
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8f2528
index 2e1ed2c..af5525a 100644
8f2528
--- a/sandbox-seccomp-filter.c
8f2528
+++ b/sandbox-seccomp-filter.c
8f2528
@@ -73,6 +73,16 @@
8f2528
 # define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
8f2528
 #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
8f2528
 
8f2528
+#if __BYTE_ORDER == __LITTLE_ENDIAN
8f2528
+# define ARG_LO_OFFSET  0
8f2528
+# define ARG_HI_OFFSET  sizeof(uint32_t)
8f2528
+#elif __BYTE_ORDER == __BIG_ENDIAN
8f2528
+# define ARG_LO_OFFSET  sizeof(uint32_t)
8f2528
+# define ARG_HI_OFFSET  0
8f2528
+#else
8f2528
+#error "Unknown endianness"
8f2528
+#endif
8f2528
+
8f2528
 /* Simple helpers to avoid manual errors (but larger BPF programs). */
8f2528
 #define SC_DENY(_nr, _errno) \
8f2528
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
8f2528
@@ -81,11 +91,17 @@
8f2528
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
8f2528
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
8f2528
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
8f2528
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
8f2528
-	/* load first syscall argument */ \
8f2528
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
8f2528
+	/* load and test first syscall argument, low word */ \
8f2528
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
8f2528
+	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
8f2528
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
8f2528
+	    ((_arg_val) & 0xFFFFFFFF), 0, 3), \
8f2528
+	/* load and test first syscall argument, high word */ \
8f2528
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
8f2528
-	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
8f2528
-	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
8f2528
+	    offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \
8f2528
+	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
8f2528
+	    (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \
8f2528
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
8f2528
 	/* reload syscall number; all rules expect it in accumulator */ \
8f2528
 	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
8f2528
8f2528
From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
8f2528
From: Damien Miller <djm@mindrot.org>
8f2528
Date: Wed, 22 Mar 2017 12:43:02 +1100
8f2528
Subject: [PATCH] Missing header on Linux/s390
8f2528
8f2528
Patch from Jakub Jelen
8f2528
---
8f2528
 sandbox-seccomp-filter.c | 3 +++
8f2528
 1 file changed, 3 insertions(+)
8f2528
8f2528
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8f2528
index a8d472a..2831e9d 100644
8f2528
--- a/sandbox-seccomp-filter.c
8f2528
+++ b/sandbox-seccomp-filter.c
8f2528
@@ -50,6 +50,9 @@
8f2528
 #include <elf.h>
8f2528
 
8f2528
 #include <asm/unistd.h>
8f2528
+#ifdef __s390__
8f2528
+#include <asm/zcrypt.h>
8f2528
+#endif
8f2528
 
8f2528
 #include <errno.h>
8f2528
 #include <signal.h>
8f2528
8f2528
getuid and geteuid are needed when using an openssl engine that calls a
8f2528
crypto card, e.g. ICA (libica).
8f2528
Those syscalls are also needed by the distros for audit code.
8f2528
8f2528
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
8f2528
---
8f2528
 sandbox-seccomp-filter.c | 12 ++++++++++++
8f2528
 1 file changed, 12 insertions(+)
8f2528
8f2528
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8f2528
index 6e7de31..e86aa2c 100644
8f2528
--- a/sandbox-seccomp-filter.c
8f2528
+++ b/sandbox-seccomp-filter.c
8f2528
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
8f2528
 #ifdef __NR_getpid
8f2528
 	SC_ALLOW(getpid),
8f2528
 #endif
8f2528
+#ifdef __NR_getuid
8f2528
+	SC_ALLOW(getuid),
8f2528
+#endif
8f2528
+#ifdef __NR_getuid32
8f2528
+	SC_ALLOW(getuid32),
8f2528
+#endif
8f2528
+#ifdef __NR_geteuid
8f2528
+	SC_ALLOW(geteuid),
8f2528
+#endif
8f2528
+#ifdef __NR_geteuid32
8f2528
+	SC_ALLOW(geteuid32),
8f2528
+#endif
8f2528
 #ifdef __NR_getrandom
8f2528
 	SC_ALLOW(getrandom),
8f2528
 #endif
8f2528
-- 
8f2528
1.9.1
8f2528
8f2528
The EP11 crypto card needs to make an ioctl call, which receives an
8f2528
specific argument. This crypto card is for s390 only.
8f2528
8f2528
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
8f2528
---
8f2528
 sandbox-seccomp-filter.c | 2 ++
8f2528
 1 file changed, 2 insertions(+)
8f2528
8f2528
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8f2528
index e86aa2c..98062f1 100644
8f2528
--- a/sandbox-seccomp-filter.c
8f2528
+++ b/sandbox-seccomp-filter.c
8f2528
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
8f2528
 	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
8f2528
 	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
8f2528
 	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
8f2528
+	/* Allow ioctls for EP11 crypto card on s390 */
8f2528
+	SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
8f2528
 #endif /* defined(__NR_ioctl) && defined(__s390__) */
8f2528
 
8f2528
 	/* Default deny */
8f2528
--
8f2528
1.9.1
8f2528
8f2528
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
8f2528
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
8f2528
implementation) which calls the libraries that will communicate with the
8f2528
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
8f2528
this is only need on s390 architecture.
8f2528
8f2528
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
8f2528
---
8f2528
 sandbox-seccomp-filter.c | 6 ++++++
8f2528
 1 file changed, 6 insertions(+)
8f2528
8f2528
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8f2528
index ca75cc7..6e7de31 100644
8f2528
--- a/sandbox-seccomp-filter.c
8f2528
+++ b/sandbox-seccomp-filter.c
8f2528
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
8f2528
 #ifdef __NR_exit_group
8f2528
 	SC_ALLOW(exit_group),
8f2528
 #endif
8f2528
+#if defined(__NR_flock) && defined(__s390__)
8f2528
+	SC_ALLOW(flock),
8f2528
+#endif
8f2528
 #ifdef __NR_getpgid
8f2528
 	SC_ALLOW(getpgid),
8f2528
 #endif
8f2528
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
8f2528
 #ifdef __NR_gettimeofday
8f2528
 	SC_ALLOW(gettimeofday),
8f2528
 #endif
8f2528
+#if defined(__NR_ipc) && defined(__s390__)
8f2528
+	SC_ALLOW(ipc),
8f2528
+#endif
8f2528
 #ifdef __NR_madvise
8f2528
 	SC_ALLOW(madvise),
8f2528
 #endif
8f2528
--
8f2528
1.9.1