From f15fbdc5fe680c7115f0cce5fe1d0657abb1977b Mon Sep 17 00:00:00 2001 From: Jakub Jelen Date: Thu, 30 May 2019 11:28:11 +0200 Subject: [PATCH] Whitelist another syscall variant for s390x cryptographic module (ibmca engine) --- openssh-7.5p1-sandbox.patch | 38 +++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) diff --git a/openssh-7.5p1-sandbox.patch b/openssh-7.5p1-sandbox.patch index 85a4b0f..7190813 100644 --- a/openssh-7.5p1-sandbox.patch +++ b/openssh-7.5p1-sandbox.patch @@ -106,3 +106,41 @@ diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-se #ifdef __NR_getrandom SC_ALLOW(__NR_getrandom), #endif + + +From ef34ea4521b042dd8a9c4c7455f5d1a8f8ee5bb2 Mon Sep 17 00:00:00 2001 +From: Harald Freudenberger +Date: Fri, 24 May 2019 10:11:15 +0200 +Subject: [PATCH] allow s390 specific ioctl for ecc hardware support + +Adding another s390 specific ioctl to be able to support ECC hardware acceleration +to the sandbox seccomp filter rules. + +Now the ibmca openssl engine provides elliptic curve cryptography support with the +help of libica and CCA crypto cards. This is done via jet another ioctl call to the zcrypt +device driver and so there is a need to enable this on the openssl sandbox. + +Code is s390 specific and has been tested, verified and reviewed. + +Please note that I am also the originator of the previous changes in that area. +I posted these changes to Eduardo and he forwarded the patches to the openssl +community. + +Signed-off-by: Harald Freudenberger +Reviewed-by: Joerg Schmidbauer +--- + sandbox-seccomp-filter.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 5edbc6946..56eb9317f 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +@@ -252,6 +252,7 @@ static const struct sock_filter preauth_insns[] = { + SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), + /* Allow ioctls for EP11 crypto card on s390 */ + SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB), ++ SC_ALLOW_ARG(__NR_ioctl, 1, ZSECSENDCPRB), + #endif + #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) + /*