Petr Šabata 81d24c
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
Petr Šabata 81d24c
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
Petr Šabata 81d24c
implementation) which calls the libraries that will communicate with the
Petr Šabata 81d24c
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
Petr Šabata 81d24c
this is only need on s390 architecture.
Petr Šabata 81d24c
Petr Šabata 81d24c
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
Petr Šabata 81d24c
---
Petr Šabata 81d24c
 sandbox-seccomp-filter.c | 6 ++++++
Petr Šabata 81d24c
 1 file changed, 6 insertions(+)
Petr Šabata 81d24c
Petr Šabata 81d24c
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Petr Šabata 81d24c
index ca75cc7..6e7de31 100644
Petr Šabata 81d24c
--- a/sandbox-seccomp-filter.c
Petr Šabata 81d24c
+++ b/sandbox-seccomp-filter.c
Petr Šabata 81d24c
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
Petr Šabata 81d24c
 #ifdef __NR_exit_group
Petr Šabata 81d24c
 	SC_ALLOW(__NR_exit_group),
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
+#if defined(__NR_flock) && defined(__s390__)
Petr Šabata 81d24c
+	SC_ALLOW(__NR_flock),
Petr Šabata 81d24c
+#endif
Petr Šabata 81d24c
 #ifdef __NR_futex
Petr Šabata 81d24c
 	SC_ALLOW(__NR_futex),
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
Petr Šabata 81d24c
 #ifdef __NR_gettimeofday
Petr Šabata 81d24c
 	SC_ALLOW(__NR_gettimeofday),
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
+#if defined(__NR_ipc) && defined(__s390__)
Petr Šabata 81d24c
+	SC_ALLOW(__NR_ipc),
Petr Šabata 81d24c
+#endif
Petr Šabata 81d24c
 #ifdef __NR_getuid
Petr Šabata 81d24c
 	SC_ALLOW(__NR_getuid),
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
-- 
Petr Šabata 81d24c
1.9.1
Petr Šabata 81d24c
Petr Šabata 81d24c
getuid and geteuid are needed when using an openssl engine that calls a
Petr Šabata 81d24c
crypto card, e.g. ICA (libica).
Petr Šabata 81d24c
Those syscalls are also needed by the distros for audit code.
Petr Šabata 81d24c
Petr Šabata 81d24c
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
Petr Šabata 81d24c
---
Petr Šabata 81d24c
 sandbox-seccomp-filter.c | 12 ++++++++++++
Petr Šabata 81d24c
 1 file changed, 12 insertions(+)
Petr Šabata 81d24c
Petr Šabata 81d24c
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
Petr Šabata 81d24c
index 6e7de31..e86aa2c 100644
Petr Šabata 81d24c
--- a/sandbox-seccomp-filter.c
Petr Šabata 81d24c
+++ b/sandbox-seccomp-filter.c
Petr Šabata 81d24c
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
Petr Šabata 81d24c
 #ifdef __NR_getpid
Petr Šabata 81d24c
 	SC_ALLOW(__NR_getpid),
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
+#ifdef __NR_getuid
Petr Šabata 81d24c
+	SC_ALLOW(__NR_getuid),
Petr Šabata 81d24c
+#endif
Petr Šabata 81d24c
+#ifdef __NR_getuid32
Petr Šabata 81d24c
+	SC_ALLOW(__NR_getuid32),
Petr Šabata 81d24c
+#endif
Petr Šabata 81d24c
+#ifdef __NR_geteuid
Petr Šabata 81d24c
+	SC_ALLOW(__NR_geteuid),
Petr Šabata 81d24c
+#endif
Petr Šabata 81d24c
+#ifdef __NR_geteuid32
Petr Šabata 81d24c
+	SC_ALLOW(__NR_geteuid32),
Petr Šabata 81d24c
+#endif
Petr Šabata 81d24c
 #ifdef __NR_getrandom
Petr Šabata 81d24c
 	SC_ALLOW(__NR_getrandom),
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
-- 1.9.1
Petr Šabata 81d24c
1.9.1
Petr Šabata 81d24c
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
Petr Šabata 81d24c
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
Petr Šabata 81d24c
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
Petr Šabata 81d24c
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
Petr Šabata 81d24c
 #ifdef __NR_geteuid32
Petr Šabata 81d24c
 	SC_ALLOW(__NR_geteuid32),
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c
+#ifdef __NR_gettid
Petr Šabata 81d24c
+	SC_ALLOW(__NR_gettid),
Petr Šabata 81d24c
+#endif
Petr Šabata 81d24c
 #ifdef __NR_getrandom
Petr Šabata 81d24c
 	SC_ALLOW(__NR_getrandom),
Petr Šabata 81d24c
 #endif
Petr Šabata 81d24c