rpms / gsi-openssh

Clone
Source Code
GIT

Blame openssh-7.5p1-sandbox.patch

el5 el6 epel7 epel8 epel9 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   epel9
  2.   openssh-7.5p1-sandbox.patch
Blob History Raw
c7d42e7 
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
c7d42e7 
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
c7d42e7 
implementation) which calls the libraries that will communicate with the
c7d42e7 
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
c7d42e7 
this is only need on s390 architecture.
c7d42e7
c7d42e7 
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
c7d42e7 
---
c7d42e7 
 sandbox-seccomp-filter.c | 6 ++++++
c7d42e7 
 1 file changed, 6 insertions(+)
c7d42e7
f249377 
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
c7d42e7 
index ca75cc7..6e7de31 100644
f249377 
--- a/sandbox-seccomp-filter.c
f249377 
+++ b/sandbox-seccomp-filter.c
c7d42e7 
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
c7d42e7 
 #ifdef __NR_exit_group
c7d42e7 
 	SC_ALLOW(__NR_exit_group),
c7d42e7 
 #endif
c7d42e7 
+#if defined(__NR_flock) && defined(__s390__)
c7d42e7 
+	SC_ALLOW(__NR_flock),
f249377 
+#endif
afffcad 
 #ifdef __NR_futex
afffcad 
 	SC_ALLOW(__NR_futex),
c7d42e7 
 #endif
c7d42e7 
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
c7d42e7 
 #ifdef __NR_gettimeofday
c7d42e7 
 	SC_ALLOW(__NR_gettimeofday),
c7d42e7 
 #endif
c7d42e7 
+#if defined(__NR_ipc) && defined(__s390__)
c7d42e7 
+	SC_ALLOW(__NR_ipc),
c7d42e7 
+#endif
5923b7b 
 #ifdef __NR_getuid
5923b7b 
 	SC_ALLOW(__NR_getuid),
c7d42e7 
 #endif
c7d42e7 
--
c7d42e7 
1.9.1
c7d42e7
c7d42e7 
getuid and geteuid are needed when using an openssl engine that calls a
c7d42e7 
crypto card, e.g. ICA (libica).
c7d42e7 
Those syscalls are also needed by the distros for audit code.
c7d42e7
c7d42e7 
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
c7d42e7 
---
c7d42e7 
 sandbox-seccomp-filter.c | 12 ++++++++++++
c7d42e7 
 1 file changed, 12 insertions(+)
c7d42e7
c7d42e7 
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
c7d42e7 
index 6e7de31..e86aa2c 100644
c7d42e7 
--- a/sandbox-seccomp-filter.c
c7d42e7 
+++ b/sandbox-seccomp-filter.c
c7d42e7 
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
c7d42e7 
 #ifdef __NR_getpid
c7d42e7 
 	SC_ALLOW(__NR_getpid),
c7d42e7 
 #endif
c7d42e7 
+#ifdef __NR_getuid
c7d42e7 
+	SC_ALLOW(__NR_getuid),
c7d42e7 
+#endif
c7d42e7 
+#ifdef __NR_getuid32
c7d42e7 
+	SC_ALLOW(__NR_getuid32),
c7d42e7 
+#endif
c7d42e7 
+#ifdef __NR_geteuid
c7d42e7 
+	SC_ALLOW(__NR_geteuid),
c7d42e7 
+#endif
c7d42e7 
+#ifdef __NR_geteuid32
c7d42e7 
+	SC_ALLOW(__NR_geteuid32),
c7d42e7 
+#endif
c7d42e7 
 #ifdef __NR_getrandom
c7d42e7 
 	SC_ALLOW(__NR_getrandom),
c7d42e7 
 #endif
c7d42e7 
-- 1.9.1
c7d42e7 
1.9.1
01510d7 
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
01510d7 
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
01510d7 
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
01510d7 
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
01510d7 
 #ifdef __NR_geteuid32
01510d7 
 	SC_ALLOW(__NR_geteuid32),
01510d7 
 #endif
01510d7 
+#ifdef __NR_gettid
01510d7 
+	SC_ALLOW(__NR_gettid),
01510d7 
+#endif
01510d7 
 #ifdef __NR_getrandom
01510d7 
 	SC_ALLOW(__NR_getrandom),
01510d7 
 #endif
15b86ea
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.