aedd00
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
aedd00
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
aedd00
implementation) which calls the libraries that will communicate with the
aedd00
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
aedd00
this is only need on s390 architecture.
aedd00
aedd00
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
aedd00
---
aedd00
 sandbox-seccomp-filter.c | 6 ++++++
aedd00
 1 file changed, 6 insertions(+)
aedd00
aedd00
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
aedd00
index ca75cc7..6e7de31 100644
aedd00
--- a/sandbox-seccomp-filter.c
aedd00
+++ b/sandbox-seccomp-filter.c
aedd00
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
aedd00
 #ifdef __NR_exit_group
aedd00
 	SC_ALLOW(__NR_exit_group),
aedd00
 #endif
aedd00
+#if defined(__NR_flock) && defined(__s390__)
aedd00
+	SC_ALLOW(__NR_flock),
aedd00
+#endif
aedd00
 #ifdef __NR_futex
aedd00
 	SC_ALLOW(__NR_futex),
aedd00
 #endif
aedd00
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
aedd00
 #ifdef __NR_gettimeofday
aedd00
 	SC_ALLOW(__NR_gettimeofday),
aedd00
 #endif
aedd00
+#if defined(__NR_ipc) && defined(__s390__)
aedd00
+	SC_ALLOW(__NR_ipc),
aedd00
+#endif
aedd00
 #ifdef __NR_getuid
aedd00
 	SC_ALLOW(__NR_getuid),
aedd00
 #endif
aedd00
-- 
aedd00
1.9.1
aedd00
aedd00
getuid and geteuid are needed when using an openssl engine that calls a
aedd00
crypto card, e.g. ICA (libica).
aedd00
Those syscalls are also needed by the distros for audit code.
aedd00
aedd00
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
aedd00
---
aedd00
 sandbox-seccomp-filter.c | 12 ++++++++++++
aedd00
 1 file changed, 12 insertions(+)
aedd00
aedd00
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
aedd00
index 6e7de31..e86aa2c 100644
aedd00
--- a/sandbox-seccomp-filter.c
aedd00
+++ b/sandbox-seccomp-filter.c
aedd00
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
aedd00
 #ifdef __NR_getpid
aedd00
 	SC_ALLOW(__NR_getpid),
aedd00
 #endif
aedd00
+#ifdef __NR_getuid
aedd00
+	SC_ALLOW(__NR_getuid),
aedd00
+#endif
aedd00
+#ifdef __NR_getuid32
aedd00
+	SC_ALLOW(__NR_getuid32),
aedd00
+#endif
aedd00
+#ifdef __NR_geteuid
aedd00
+	SC_ALLOW(__NR_geteuid),
aedd00
+#endif
aedd00
+#ifdef __NR_geteuid32
aedd00
+	SC_ALLOW(__NR_geteuid32),
aedd00
+#endif
aedd00
 #ifdef __NR_getrandom
aedd00
 	SC_ALLOW(__NR_getrandom),
aedd00
 #endif
aedd00
-- 1.9.1
aedd00
aedd00
The EP11 crypto card needs to make an ioctl call, which receives an
aedd00
specific argument. This crypto card is for s390 only.
aedd00
aedd00
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
aedd00
---
aedd00
 sandbox-seccomp-filter.c | 2 ++
aedd00
 1 file changed, 2 insertions(+)
aedd00
aedd00
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
aedd00
index e86aa2c..98062f1 100644
aedd00
--- a/sandbox-seccomp-filter.c
aedd00
+++ b/sandbox-seccomp-filter.c
aedd00
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
aedd00
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
aedd00
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
aedd00
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
aedd00
+	/* Allow ioctls for EP11 crypto card on s390 */
aedd00
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
aedd00
 #endif
aedd00
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
aedd00
 	/*
aedd00
-- 
aedd00
1.9.1
aedd00
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
aedd00
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
aedd00
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
aedd00
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
aedd00
 #ifdef __NR_geteuid32
aedd00
 	SC_ALLOW(__NR_geteuid32),
aedd00
 #endif
aedd00
+#ifdef __NR_gettid
aedd00
+	SC_ALLOW(__NR_gettid),
aedd00
+#endif
aedd00
 #ifdef __NR_getrandom
aedd00
 	SC_ALLOW(__NR_getrandom),
aedd00
 #endif
aedd00
aedd00
aedd00
From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001
aedd00
From: Harald Freudenberger <freude@linux.ibm.com>
aedd00
Date: Fri, 24 May 2019 10:11:15 +0200
aedd00
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support
aedd00
aedd00
Adding another s390 specific ioctl to be able to support ECC hardware acceleration
aedd00
to the sandbox seccomp filter rules.
aedd00
aedd00
Now the ibmca openssl engine provides elliptic curve cryptography support with the
aedd00
help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt
aedd00
device driver and so there is a need to enable this on the openssl sandbox.
aedd00
aedd00
Code is s390 specific and has been tested, verified and reviewed.
aedd00
aedd00
Please note that I am also the originator of the previous changes in that area.
aedd00
I posted these changes to Eduardo and he forwarded the patches to the openssl
aedd00
community.
aedd00
aedd00
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
aedd00
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
aedd00
---
aedd00
 sandbox-seccomp-filter.c | 1 +
aedd00
 1 file changed, 1 insertion(+)
aedd00
aedd00
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
aedd00
index 5edbc6946..56eb9317f 100644
aedd00
--- a/sandbox-seccomp-filter.c
aedd00
+++ b/sandbox-seccomp-filter.c
aedd00
@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = {
aedd00
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
aedd00
 	/* Allow ioctls for EP11 crypto card on s390 */
aedd00
 	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
aedd00
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB),
aedd00
 #endif
aedd00
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
aedd00
 	/*