8bcc21
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
8bcc21
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
8bcc21
implementation) which calls the libraries that will communicate with the
8bcc21
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
8bcc21
this is only need on s390 architecture.
8bcc21
8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
8bcc21
---
8bcc21
 sandbox-seccomp-filter.c | 6 ++++++
8bcc21
 1 file changed, 6 insertions(+)
8bcc21
8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8bcc21
index ca75cc7..6e7de31 100644
8bcc21
--- a/sandbox-seccomp-filter.c
8bcc21
+++ b/sandbox-seccomp-filter.c
8bcc21
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
8bcc21
 #ifdef __NR_exit_group
8bcc21
 	SC_ALLOW(__NR_exit_group),
8bcc21
 #endif
8bcc21
+#if defined(__NR_flock) && defined(__s390__)
8bcc21
+	SC_ALLOW(__NR_flock),
8bcc21
+#endif
eaa7af
 #ifdef __NR_futex
eaa7af
 	SC_ALLOW(__NR_futex),
8bcc21
 #endif
8bcc21
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
8bcc21
 #ifdef __NR_gettimeofday
8bcc21
 	SC_ALLOW(__NR_gettimeofday),
8bcc21
 #endif
8bcc21
+#if defined(__NR_ipc) && defined(__s390__)
8bcc21
+	SC_ALLOW(__NR_ipc),
8bcc21
+#endif
bbf61d
 #ifdef __NR_getuid
bbf61d
 	SC_ALLOW(__NR_getuid),
8bcc21
 #endif
8bcc21
-- 
8bcc21
1.9.1
8bcc21
8bcc21
getuid and geteuid are needed when using an openssl engine that calls a
8bcc21
crypto card, e.g. ICA (libica).
8bcc21
Those syscalls are also needed by the distros for audit code.
8bcc21
8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
8bcc21
---
8bcc21
 sandbox-seccomp-filter.c | 12 ++++++++++++
8bcc21
 1 file changed, 12 insertions(+)
8bcc21
8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8bcc21
index 6e7de31..e86aa2c 100644
8bcc21
--- a/sandbox-seccomp-filter.c
8bcc21
+++ b/sandbox-seccomp-filter.c
8bcc21
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
8bcc21
 #ifdef __NR_getpid
8bcc21
 	SC_ALLOW(__NR_getpid),
8bcc21
 #endif
8bcc21
+#ifdef __NR_getuid
8bcc21
+	SC_ALLOW(__NR_getuid),
8bcc21
+#endif
8bcc21
+#ifdef __NR_getuid32
8bcc21
+	SC_ALLOW(__NR_getuid32),
8bcc21
+#endif
8bcc21
+#ifdef __NR_geteuid
8bcc21
+	SC_ALLOW(__NR_geteuid),
8bcc21
+#endif
8bcc21
+#ifdef __NR_geteuid32
8bcc21
+	SC_ALLOW(__NR_geteuid32),
8bcc21
+#endif
8bcc21
 #ifdef __NR_getrandom
8bcc21
 	SC_ALLOW(__NR_getrandom),
8bcc21
 #endif
8bcc21
-- 1.9.1
8bcc21
8bcc21
The EP11 crypto card needs to make an ioctl call, which receives an
8bcc21
specific argument. This crypto card is for s390 only.
8bcc21
8bcc21
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
8bcc21
---
8bcc21
 sandbox-seccomp-filter.c | 2 ++
8bcc21
 1 file changed, 2 insertions(+)
8bcc21
8bcc21
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
8bcc21
index e86aa2c..98062f1 100644
8bcc21
--- a/sandbox-seccomp-filter.c
8bcc21
+++ b/sandbox-seccomp-filter.c
8bcc21
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
8bcc21
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
8bcc21
+	/* Allow ioctls for EP11 crypto card on s390 */
8bcc21
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
8bcc21
 #endif
8bcc21
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
8bcc21
 	/*
8bcc21
-- 
8bcc21
1.9.1
17cd51
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
17cd51
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox	2017-12-12 13:59:30.563874059 +0100
17cd51
+++ openssh-7.6p1/sandbox-seccomp-filter.c	2017-12-12 13:59:14.842784083 +0100
17cd51
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
17cd51
 #ifdef __NR_geteuid32
17cd51
 	SC_ALLOW(__NR_geteuid32),
17cd51
 #endif
17cd51
+#ifdef __NR_gettid
17cd51
+	SC_ALLOW(__NR_gettid),
17cd51
+#endif
17cd51
 #ifdef __NR_getrandom
17cd51
 	SC_ALLOW(__NR_getrandom),
17cd51
 #endif
f15fbd
f15fbd
f15fbd
From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001
f15fbd
From: Harald Freudenberger <freude@linux.ibm.com>
f15fbd
Date: Fri, 24 May 2019 10:11:15 +0200
f15fbd
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support
f15fbd
f15fbd
Adding another s390 specific ioctl to be able to support ECC hardware acceleration
f15fbd
to the sandbox seccomp filter rules.
f15fbd
f15fbd
Now the ibmca openssl engine provides elliptic curve cryptography support with the
f15fbd
help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt
f15fbd
device driver and so there is a need to enable this on the openssl sandbox.
f15fbd
f15fbd
Code is s390 specific and has been tested, verified and reviewed.
f15fbd
f15fbd
Please note that I am also the originator of the previous changes in that area.
f15fbd
I posted these changes to Eduardo and he forwarded the patches to the openssl
f15fbd
community.
f15fbd
f15fbd
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
f15fbd
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
f15fbd
---
f15fbd
 sandbox-seccomp-filter.c | 1 +
f15fbd
 1 file changed, 1 insertion(+)
f15fbd
f15fbd
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
f15fbd
index 5edbc6946..56eb9317f 100644
f15fbd
--- a/sandbox-seccomp-filter.c
f15fbd
+++ b/sandbox-seccomp-filter.c
f15fbd
@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = {
f15fbd
 	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
f15fbd
 	/* Allow ioctls for EP11 crypto card on s390 */
f15fbd
 	SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
f15fbd
+	SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB),
f15fbd
 #endif
f15fbd
 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
f15fbd
 	/*