You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
147 lines
4.8 KiB
147 lines
4.8 KiB
2 years ago
|
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
||
|
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
||
|
implementation) which calls the libraries that will communicate with the
|
||
|
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
||
|
this is only need on s390 architecture.
|
||
|
|
||
|
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
||
|
---
|
||
|
sandbox-seccomp-filter.c | 6 ++++++
|
||
|
1 file changed, 6 insertions(+)
|
||
|
|
||
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||
|
index ca75cc7..6e7de31 100644
|
||
|
--- a/sandbox-seccomp-filter.c
|
||
|
+++ b/sandbox-seccomp-filter.c
|
||
|
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
|
||
|
#ifdef __NR_exit_group
|
||
|
SC_ALLOW(__NR_exit_group),
|
||
|
#endif
|
||
|
+#if defined(__NR_flock) && defined(__s390__)
|
||
|
+ SC_ALLOW(__NR_flock),
|
||
|
+#endif
|
||
|
#ifdef __NR_futex
|
||
|
SC_ALLOW(__NR_futex),
|
||
|
#endif
|
||
|
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
||
|
#ifdef __NR_gettimeofday
|
||
|
SC_ALLOW(__NR_gettimeofday),
|
||
|
#endif
|
||
|
+#if defined(__NR_ipc) && defined(__s390__)
|
||
|
+ SC_ALLOW(__NR_ipc),
|
||
|
+#endif
|
||
|
#ifdef __NR_getuid
|
||
|
SC_ALLOW(__NR_getuid),
|
||
|
#endif
|
||
|
--
|
||
|
1.9.1
|
||
|
|
||
|
getuid and geteuid are needed when using an openssl engine that calls a
|
||
|
crypto card, e.g. ICA (libica).
|
||
|
Those syscalls are also needed by the distros for audit code.
|
||
|
|
||
|
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
||
|
---
|
||
|
sandbox-seccomp-filter.c | 12 ++++++++++++
|
||
|
1 file changed, 12 insertions(+)
|
||
|
|
||
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||
|
index 6e7de31..e86aa2c 100644
|
||
|
--- a/sandbox-seccomp-filter.c
|
||
|
+++ b/sandbox-seccomp-filter.c
|
||
|
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
|
||
|
#ifdef __NR_getpid
|
||
|
SC_ALLOW(__NR_getpid),
|
||
|
#endif
|
||
|
+#ifdef __NR_getuid
|
||
|
+ SC_ALLOW(__NR_getuid),
|
||
|
+#endif
|
||
|
+#ifdef __NR_getuid32
|
||
|
+ SC_ALLOW(__NR_getuid32),
|
||
|
+#endif
|
||
|
+#ifdef __NR_geteuid
|
||
|
+ SC_ALLOW(__NR_geteuid),
|
||
|
+#endif
|
||
|
+#ifdef __NR_geteuid32
|
||
|
+ SC_ALLOW(__NR_geteuid32),
|
||
|
+#endif
|
||
|
#ifdef __NR_getrandom
|
||
|
SC_ALLOW(__NR_getrandom),
|
||
|
#endif
|
||
|
-- 1.9.1
|
||
|
|
||
|
The EP11 crypto card needs to make an ioctl call, which receives an
|
||
|
specific argument. This crypto card is for s390 only.
|
||
|
|
||
|
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
||
|
---
|
||
|
sandbox-seccomp-filter.c | 2 ++
|
||
|
1 file changed, 2 insertions(+)
|
||
|
|
||
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||
|
index e86aa2c..98062f1 100644
|
||
|
--- a/sandbox-seccomp-filter.c
|
||
|
+++ b/sandbox-seccomp-filter.c
|
||
|
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
|
||
|
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
|
||
|
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
|
||
|
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
||
|
+ /* Allow ioctls for EP11 crypto card on s390 */
|
||
|
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
|
||
|
#endif
|
||
|
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
|
||
|
/*
|
||
|
--
|
||
|
1.9.1
|
||
|
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
|
||
|
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
|
||
|
+++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100
|
||
|
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
|
||
|
#ifdef __NR_geteuid32
|
||
|
SC_ALLOW(__NR_geteuid32),
|
||
|
#endif
|
||
|
+#ifdef __NR_gettid
|
||
|
+ SC_ALLOW(__NR_gettid),
|
||
|
+#endif
|
||
|
#ifdef __NR_getrandom
|
||
|
SC_ALLOW(__NR_getrandom),
|
||
|
#endif
|
||
|
|
||
|
|
||
|
From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001
|
||
|
From: Harald Freudenberger <freude@linux.ibm.com>
|
||
|
Date: Fri, 24 May 2019 10:11:15 +0200
|
||
|
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support
|
||
|
|
||
|
Adding another s390 specific ioctl to be able to support ECC hardware acceleration
|
||
|
to the sandbox seccomp filter rules.
|
||
|
|
||
|
Now the ibmca openssl engine provides elliptic curve cryptography support with the
|
||
|
help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt
|
||
|
device driver and so there is a need to enable this on the openssl sandbox.
|
||
|
|
||
|
Code is s390 specific and has been tested, verified and reviewed.
|
||
|
|
||
|
Please note that I am also the originator of the previous changes in that area.
|
||
|
I posted these changes to Eduardo and he forwarded the patches to the openssl
|
||
|
community.
|
||
|
|
||
|
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
|
||
|
Reviewed-by: Joerg Schmidbauer <jschmidb@de.ibm.com>
|
||
|
---
|
||
|
sandbox-seccomp-filter.c | 1 +
|
||
|
1 file changed, 1 insertion(+)
|
||
|
|
||
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
||
|
index 5edbc6946..56eb9317f 100644
|
||
|
--- a/sandbox-seccomp-filter.c
|
||
|
+++ b/sandbox-seccomp-filter.c
|
||
|
@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = {
|
||
|
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
||
|
/* Allow ioctls for EP11 crypto card on s390 */
|
||
|
SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
|
||
|
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB),
|
||
|
#endif
|
||
|
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
|
||
|
/*
|