|
 |
8bcc21e |
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
|
|
8bcc21e |
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
|
|
8bcc21e |
implementation) which calls the libraries that will communicate with the
|
|
|
8bcc21e |
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
|
|
8bcc21e |
this is only need on s390 architecture.
|
|
|
8bcc21e |
|
|
|
8bcc21e |
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
|
|
8bcc21e |
---
|
|
|
8bcc21e |
sandbox-seccomp-filter.c | 6 ++++++
|
|
|
8bcc21e |
1 file changed, 6 insertions(+)
|
|
|
8bcc21e |
|
|
|
8bcc21e |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
|
8bcc21e |
index ca75cc7..6e7de31 100644
|
|
|
8bcc21e |
--- a/sandbox-seccomp-filter.c
|
|
|
8bcc21e |
+++ b/sandbox-seccomp-filter.c
|
|
|
8bcc21e |
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
|
8bcc21e |
#ifdef __NR_exit_group
|
|
|
8bcc21e |
SC_ALLOW(__NR_exit_group),
|
|
|
8bcc21e |
#endif
|
|
|
8bcc21e |
+#if defined(__NR_flock) && defined(__s390__)
|
|
|
8bcc21e |
+ SC_ALLOW(__NR_flock),
|
|
|
8bcc21e |
+#endif
|
|
|
eaa7af2 |
#ifdef __NR_futex
|
|
|
eaa7af2 |
SC_ALLOW(__NR_futex),
|
|
|
8bcc21e |
#endif
|
|
|
8bcc21e |
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
|
8bcc21e |
#ifdef __NR_gettimeofday
|
|
|
8bcc21e |
SC_ALLOW(__NR_gettimeofday),
|
|
|
8bcc21e |
#endif
|
|
|
8bcc21e |
+#if defined(__NR_ipc) && defined(__s390__)
|
|
|
8bcc21e |
+ SC_ALLOW(__NR_ipc),
|
|
|
8bcc21e |
+#endif
|
|
|
bbf61da |
#ifdef __NR_getuid
|
|
|
bbf61da |
SC_ALLOW(__NR_getuid),
|
|
|
8bcc21e |
#endif
|
|
|
8bcc21e |
--
|
|
|
8bcc21e |
1.9.1
|
|
|
8bcc21e |
|
|
|
8bcc21e |
getuid and geteuid are needed when using an openssl engine that calls a
|
|
|
8bcc21e |
crypto card, e.g. ICA (libica).
|
|
|
8bcc21e |
Those syscalls are also needed by the distros for audit code.
|
|
|
8bcc21e |
|
|
|
8bcc21e |
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
|
|
8bcc21e |
---
|
|
|
8bcc21e |
sandbox-seccomp-filter.c | 12 ++++++++++++
|
|
|
8bcc21e |
1 file changed, 12 insertions(+)
|
|
|
8bcc21e |
|
|
|
8bcc21e |
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
|
8bcc21e |
index 6e7de31..e86aa2c 100644
|
|
|
8bcc21e |
--- a/sandbox-seccomp-filter.c
|
|
|
8bcc21e |
+++ b/sandbox-seccomp-filter.c
|
|
|
8bcc21e |
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
|
|
|
8bcc21e |
#ifdef __NR_getpid
|
|
|
8bcc21e |
SC_ALLOW(__NR_getpid),
|
|
|
8bcc21e |
#endif
|
|
|
8bcc21e |
+#ifdef __NR_getuid
|
|
|
8bcc21e |
+ SC_ALLOW(__NR_getuid),
|
|
|
8bcc21e |
+#endif
|
|
|
8bcc21e |
+#ifdef __NR_getuid32
|
|
|
8bcc21e |
+ SC_ALLOW(__NR_getuid32),
|
|
|
8bcc21e |
+#endif
|
|
|
8bcc21e |
+#ifdef __NR_geteuid
|
|
|
8bcc21e |
+ SC_ALLOW(__NR_geteuid),
|
|
|
8bcc21e |
+#endif
|
|
|
8bcc21e |
+#ifdef __NR_geteuid32
|
|
|
8bcc21e |
+ SC_ALLOW(__NR_geteuid32),
|
|
|
8bcc21e |
+#endif
|
|
|
8bcc21e |
#ifdef __NR_getrandom
|
|
|
8bcc21e |
SC_ALLOW(__NR_getrandom),
|
|
|
8bcc21e |
#endif
|
|
|
8bcc21e |
-- 1.9.1
|
|
|
8bcc21e |
1.9.1
|
|
|
17cd512 |
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
|
|
|
17cd512 |
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
|
|
|
17cd512 |
+++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100
|
|
|
17cd512 |
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
|
|
|
17cd512 |
#ifdef __NR_geteuid32
|
|
|
17cd512 |
SC_ALLOW(__NR_geteuid32),
|
|
|
17cd512 |
#endif
|
|
|
17cd512 |
+#ifdef __NR_gettid
|
|
|
17cd512 |
+ SC_ALLOW(__NR_gettid),
|
|
|
17cd512 |
+#endif
|
|
|
17cd512 |
#ifdef __NR_getrandom
|
|
|
17cd512 |
SC_ALLOW(__NR_getrandom),
|
|
|
17cd512 |
#endif
|
|
|
f15fbdc |
|