|
|
1d31ef |
From 5f1596e11d55539678c41f68aed358628d33d86f Mon Sep 17 00:00:00 2001
|
|
|
1d31ef |
From: Damien Miller <djm@mindrot.org>
|
|
|
1d31ef |
Date: Tue, 14 Mar 2017 13:15:18 +1100
|
|
|
1d31ef |
Subject: [PATCH] support ioctls for ICA crypto card on Linux/s390
|
|
|
1d31ef |
|
|
|
1d31ef |
Based on patch from Eduardo Barretto; ok dtucker@
|
|
|
1d31ef |
---
|
|
|
1d31ef |
sandbox-seccomp-filter.c | 6 ++++++
|
|
|
1d31ef |
1 file changed, 6 insertions(+)
|
|
|
1d31ef |
|
|
|
1d31ef |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
|
1d31ef |
index af5525a..6ceee33 100644
|
|
|
1d31ef |
--- a/sandbox-seccomp-filter.c
|
|
|
1d31ef |
+++ b/sandbox-seccomp-filter.c
|
|
|
1d31ef |
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
|
|
|
1d31ef |
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
|
|
|
1d31ef |
SC_DENY(socketcall, EACCES),
|
|
|
1d31ef |
#endif
|
|
|
1d31ef |
+#if defined(__NR_ioctl) && defined(__s390__)
|
|
|
1d31ef |
+ /* Allow ioctls for ICA crypto card on s390 */
|
|
|
1d31ef |
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
|
|
1d31ef |
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
|
|
1d31ef |
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
|
|
1d31ef |
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
|
|
|
1d31ef |
|
|
|
1d31ef |
/* Default deny */
|
|
|
1d31ef |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
|
|
|
1d31ef |
|
|
|
1d31ef |
From 9e96b41682aed793fadbea5ccd472f862179fb02 Mon Sep 17 00:00:00 2001
|
|
|
1d31ef |
From: Damien Miller <djm@mindrot.org>
|
|
|
1d31ef |
Date: Tue, 14 Mar 2017 12:24:47 +1100
|
|
|
1d31ef |
Subject: [PATCH] Fix weakness in seccomp-bpf sandbox arg inspection
|
|
|
1d31ef |
|
|
|
1d31ef |
Syscall arguments are passed via an array of 64-bit values in struct
|
|
|
1d31ef |
seccomp_data, but we were only inspecting the bottom 32 bits and not
|
|
|
1d31ef |
even those correctly for BE systems.
|
|
|
1d31ef |
|
|
|
1d31ef |
Fortunately, the only case argument inspection was used was in the
|
|
|
1d31ef |
socketcall filtering so using this for sandbox escape seems
|
|
|
1d31ef |
impossible.
|
|
|
1d31ef |
|
|
|
1d31ef |
ok dtucker
|
|
|
1d31ef |
---
|
|
|
1d31ef |
sandbox-seccomp-filter.c | 24 ++++++++++++++++++++----
|
|
|
1d31ef |
1 file changed, 20 insertions(+), 4 deletions(-)
|
|
|
1d31ef |
|
|
|
1d31ef |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
|
1d31ef |
index 2e1ed2c..af5525a 100644
|
|
|
1d31ef |
--- a/sandbox-seccomp-filter.c
|
|
|
1d31ef |
+++ b/sandbox-seccomp-filter.c
|
|
|
1d31ef |
@@ -73,6 +73,16 @@
|
|
|
1d31ef |
# define SECCOMP_FILTER_FAIL SECCOMP_RET_TRAP
|
|
|
1d31ef |
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
|
|
|
1d31ef |
|
|
|
1d31ef |
+#if __BYTE_ORDER == __LITTLE_ENDIAN
|
|
|
1d31ef |
+# define ARG_LO_OFFSET 0
|
|
|
1d31ef |
+# define ARG_HI_OFFSET sizeof(uint32_t)
|
|
|
1d31ef |
+#elif __BYTE_ORDER == __BIG_ENDIAN
|
|
|
1d31ef |
+# define ARG_LO_OFFSET sizeof(uint32_t)
|
|
|
1d31ef |
+# define ARG_HI_OFFSET 0
|
|
|
1d31ef |
+#else
|
|
|
1d31ef |
+#error "Unknown endianness"
|
|
|
1d31ef |
+#endif
|
|
|
1d31ef |
+
|
|
|
1d31ef |
/* Simple helpers to avoid manual errors (but larger BPF programs). */
|
|
|
1d31ef |
#define SC_DENY(_nr, _errno) \
|
|
|
1d31ef |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
|
|
1d31ef |
@@ -81,11 +91,17 @@
|
|
|
1d31ef |
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
|
|
|
1d31ef |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
|
|
|
1d31ef |
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
|
|
|
1d31ef |
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
|
|
|
1d31ef |
- /* load first syscall argument */ \
|
|
|
1d31ef |
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 6), \
|
|
|
1d31ef |
+ /* load and test first syscall argument, low word */ \
|
|
|
1d31ef |
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
|
|
1d31ef |
+ offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_LO_OFFSET), \
|
|
|
1d31ef |
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
|
|
|
1d31ef |
+ ((_arg_val) & 0xFFFFFFFF), 0, 3), \
|
|
|
1d31ef |
+ /* load and test first syscall argument, high word */ \
|
|
|
1d31ef |
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
|
|
1d31ef |
- offsetof(struct seccomp_data, args[(_arg_nr)])), \
|
|
|
1d31ef |
- BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
|
|
|
1d31ef |
+ offsetof(struct seccomp_data, args[(_arg_nr)]) + ARG_HI_OFFSET), \
|
|
|
1d31ef |
+ BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, \
|
|
|
1d31ef |
+ (((uint32_t)((uint64_t)(_arg_val) >> 32)) & 0xFFFFFFFF), 0, 1), \
|
|
|
1d31ef |
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
|
|
|
1d31ef |
/* reload syscall number; all rules expect it in accumulator */ \
|
|
|
1d31ef |
BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
|
|
|
1d31ef |
|
|
|
1d31ef |
From 58b8cfa2a062b72139d7229ae8de567f55776f24 Mon Sep 17 00:00:00 2001
|
|
|
1d31ef |
From: Damien Miller <djm@mindrot.org>
|
|
|
1d31ef |
Date: Wed, 22 Mar 2017 12:43:02 +1100
|
|
|
1d31ef |
Subject: [PATCH] Missing header on Linux/s390
|
|
|
1d31ef |
|
|
|
1d31ef |
Patch from Jakub Jelen
|
|
|
1d31ef |
---
|
|
|
1d31ef |
sandbox-seccomp-filter.c | 3 +++
|
|
|
1d31ef |
1 file changed, 3 insertions(+)
|
|
|
1d31ef |
|
|
|
1d31ef |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
|
1d31ef |
index a8d472a..2831e9d 100644
|
|
|
1d31ef |
--- a/sandbox-seccomp-filter.c
|
|
|
1d31ef |
+++ b/sandbox-seccomp-filter.c
|
|
|
1d31ef |
@@ -50,6 +50,9 @@
|
|
|
1d31ef |
#include <elf.h>
|
|
|
1d31ef |
|
|
|
1d31ef |
#include <asm/unistd.h>
|
|
|
1d31ef |
+#ifdef __s390__
|
|
|
1d31ef |
+#include <asm/zcrypt.h>
|
|
|
1d31ef |
+#endif
|
|
|
1d31ef |
|
|
|
1d31ef |
#include <errno.h>
|
|
|
1d31ef |
#include <signal.h>
|
|
|
1d31ef |
|
|
|
1d31ef |
getuid and geteuid are needed when using an openssl engine that calls a
|
|
|
1d31ef |
crypto card, e.g. ICA (libica).
|
|
|
1d31ef |
Those syscalls are also needed by the distros for audit code.
|
|
|
1d31ef |
|
|
|
1d31ef |
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
|
|
|
1d31ef |
---
|
|
|
1d31ef |
sandbox-seccomp-filter.c | 12 ++++++++++++
|
|
|
1d31ef |
1 file changed, 12 insertions(+)
|
|
|
1d31ef |
|
|
|
1d31ef |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
|
1d31ef |
index 6e7de31..e86aa2c 100644
|
|
|
1d31ef |
--- a/sandbox-seccomp-filter.c
|
|
|
1d31ef |
+++ b/sandbox-seccomp-filter.c
|
|
|
1d31ef |
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
|
|
|
1d31ef |
#ifdef __NR_getpid
|
|
|
1d31ef |
SC_ALLOW(getpid),
|
|
|
1d31ef |
#endif
|
|
|
1d31ef |
+#ifdef __NR_getuid
|
|
|
1d31ef |
+ SC_ALLOW(getuid),
|
|
|
1d31ef |
+#endif
|
|
|
1d31ef |
+#ifdef __NR_getuid32
|
|
|
1d31ef |
+ SC_ALLOW(getuid32),
|
|
|
1d31ef |
+#endif
|
|
|
1d31ef |
+#ifdef __NR_geteuid
|
|
|
1d31ef |
+ SC_ALLOW(geteuid),
|
|
|
1d31ef |
+#endif
|
|
|
1d31ef |
+#ifdef __NR_geteuid32
|
|
|
1d31ef |
+ SC_ALLOW(geteuid32),
|
|
|
1d31ef |
+#endif
|
|
|
1d31ef |
#ifdef __NR_getrandom
|
|
|
1d31ef |
SC_ALLOW(getrandom),
|
|
|
1d31ef |
#endif
|
|
|
1d31ef |
--
|
|
|
1d31ef |
1.9.1
|
|
|
9a9eba |
|
|
|
9a9eba |
The EP11 crypto card needs to make an ioctl call, which receives an
|
|
|
9a9eba |
specific argument. This crypto card is for s390 only.
|
|
|
9a9eba |
|
|
|
9a9eba |
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
|
|
9a9eba |
---
|
|
|
9a9eba |
sandbox-seccomp-filter.c | 2 ++
|
|
|
9a9eba |
1 file changed, 2 insertions(+)
|
|
|
9a9eba |
|
|
|
9a9eba |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
|
9a9eba |
index e86aa2c..98062f1 100644
|
|
|
9a9eba |
--- a/sandbox-seccomp-filter.c
|
|
|
9a9eba |
+++ b/sandbox-seccomp-filter.c
|
|
|
9a9eba |
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
|
|
|
9a9eba |
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
|
|
|
9a9eba |
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
|
|
|
9a9eba |
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
|
|
|
9a9eba |
+ /* Allow ioctls for EP11 crypto card on s390 */
|
|
|
9a9eba |
+ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
|
|
|
9a9eba |
#endif /* defined(__NR_ioctl) && defined(__s390__) */
|
|
|
9a9eba |
|
|
|
9a9eba |
/* Default deny */
|
|
|
9a9eba |
--
|
|
|
9a9eba |
1.9.1
|
|
|
9a9eba |
|
|
|
9a9eba |
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
|
|
9a9eba |
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
|
|
9a9eba |
implementation) which calls the libraries that will communicate with the
|
|
|
9a9eba |
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
|
|
9a9eba |
this is only need on s390 architecture.
|
|
|
9a9eba |
|
|
|
9a9eba |
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
|
|
9a9eba |
---
|
|
|
9a9eba |
sandbox-seccomp-filter.c | 6 ++++++
|
|
|
9a9eba |
1 file changed, 6 insertions(+)
|
|
|
9a9eba |
|
|
|
9a9eba |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
|
9a9eba |
index ca75cc7..6e7de31 100644
|
|
|
9a9eba |
--- a/sandbox-seccomp-filter.c
|
|
|
9a9eba |
+++ b/sandbox-seccomp-filter.c
|
|
|
9a9eba |
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
|
9a9eba |
#ifdef __NR_exit_group
|
|
|
9a9eba |
SC_ALLOW(exit_group),
|
|
|
9a9eba |
#endif
|
|
|
9a9eba |
+#if defined(__NR_flock) && defined(__s390__)
|
|
|
9a9eba |
+ SC_ALLOW(flock),
|
|
|
9a9eba |
+#endif
|
|
|
9a9eba |
#ifdef __NR_getpgid
|
|
|
9a9eba |
SC_ALLOW(getpgid),
|
|
|
9a9eba |
#endif
|
|
|
9a9eba |
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
|
9a9eba |
#ifdef __NR_gettimeofday
|
|
|
9a9eba |
SC_ALLOW(gettimeofday),
|
|
|
9a9eba |
#endif
|
|
|
9a9eba |
+#if defined(__NR_ipc) && defined(__s390__)
|
|
|
9a9eba |
+ SC_ALLOW(ipc),
|
|
|
9a9eba |
+#endif
|
|
|
9a9eba |
#ifdef __NR_madvise
|
|
|
9a9eba |
SC_ALLOW(madvise),
|
|
|
9a9eba |
#endif
|
|
|
9a9eba |
--
|
|
|
9a9eba |
1.9.1
|