jonathancammack / rpms / openssh

Forked from rpms/openssh 8 months ago
Clone
f5835d
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
f5835d
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
f5835d
implementation) which calls the libraries that will communicate with the
f5835d
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
f5835d
this is only need on s390 architecture.
f5835d
f5835d
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
f5835d
---
f5835d
 sandbox-seccomp-filter.c | 6 ++++++
f5835d
 1 file changed, 6 insertions(+)
f5835d
f5835d
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
f5835d
index ca75cc7..6e7de31 100644
f5835d
--- a/sandbox-seccomp-filter.c
f5835d
+++ b/sandbox-seccomp-filter.c
f5835d
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
f5835d
 #ifdef __NR_exit_group
f5835d
 	SC_ALLOW(__NR_exit_group),
f5835d
 #endif
f5835d
+#if defined(__NR_flock) && defined(__s390__)
f5835d
+	SC_ALLOW(__NR_flock),
f5835d
+#endif
f5835d
 #ifdef __NR_geteuid
f5835d
 	SC_ALLOW(__NR_geteuid),
f5835d
 #endif
f5835d
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
f5835d
 #ifdef __NR_gettimeofday
f5835d
 	SC_ALLOW(__NR_gettimeofday),
f5835d
 #endif
f5835d
+#if defined(__NR_ipc) && defined(__s390__)
f5835d
+	SC_ALLOW(__NR_ipc),
f5835d
+#endif
f5835d
 #ifdef __NR_getuid
f5835d
 	SC_ALLOW(__NR_getuid),
f5835d
 #endif
f5835d
-- 
f5835d
1.9.1
f5835d
f5835d
getuid and geteuid are needed when using an openssl engine that calls a
f5835d
crypto card, e.g. ICA (libica).
f5835d
Those syscalls are also needed by the distros for audit code.
f5835d
f5835d
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
f5835d
---
f5835d
 sandbox-seccomp-filter.c | 12 ++++++++++++
f5835d
 1 file changed, 12 insertions(+)
f5835d
f5835d
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
f5835d
index 6e7de31..e86aa2c 100644
f5835d
--- a/sandbox-seccomp-filter.c
f5835d
+++ b/sandbox-seccomp-filter.c
f5835d
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
f5835d
 #ifdef __NR_getpid
f5835d
 	SC_ALLOW(__NR_getpid),
f5835d
 #endif
f5835d
+#ifdef __NR_getuid
f5835d
+	SC_ALLOW(__NR_getuid),
f5835d
+#endif
f5835d
+#ifdef __NR_getuid32
f5835d
+	SC_ALLOW(__NR_getuid32),
f5835d
+#endif
f5835d
+#ifdef __NR_geteuid
f5835d
+	SC_ALLOW(__NR_geteuid),
f5835d
+#endif
f5835d
+#ifdef __NR_geteuid32
f5835d
+	SC_ALLOW(__NR_geteuid32),
f5835d
+#endif
f5835d
 #ifdef __NR_getrandom
f5835d
 	SC_ALLOW(__NR_getrandom),
f5835d
 #endif
f5835d
-- 1.9.1
f5835d
f5835d
The EP11 crypto card needs to make an ioctl call, which receives an
f5835d
specific argument. This crypto card is for s390 only.
f5835d
f5835d
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
f5835d
---
f5835d
 sandbox-seccomp-filter.c | 2 ++
f5835d
 1 file changed, 2 insertions(+)
f5835d
f5835d
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
f5835d
index e86aa2c..98062f1 100644
f5835d
--- a/sandbox-seccomp-filter.c
f5835d
+++ b/sandbox-seccomp-filter.c
f5835d
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
f5835d
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
f5835d
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
f5835d
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
f5835d
+	/* Allow ioctls for EP11 crypto card on s390 */
f5835d
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
f5835d
 #endif
f5835d
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
f5835d
 	/*
f5835d
-- 
f5835d
1.9.1
f5835d
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
f5835d
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
f5835d
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
f5835d
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
f5835d
 #ifdef __NR_geteuid32
f5835d
 	SC_ALLOW(__NR_geteuid32),
f5835d
 #endif
f5835d
+#ifdef __NR_gettid
f5835d
+	SC_ALLOW(__NR_gettid),
f5835d
+#endif
f5835d
 #ifdef __NR_getrandom
f5835d
 	SC_ALLOW(__NR_getrandom),
f5835d
 #endif