Allow flock and ipc syscall for s390 architecture

In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.

Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>

Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
Last-Update: 2018-08-24

Patch-Name: seccomp-s390-flock-ipc.patch

1 files changed, 6 insertions, 0 deletions

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 12c4ee130..bcea77997 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_exit_group
         SC_ALLOW(__NR_exit_group),
 #endif
+#if defined(__NR_flock) && defined(__s390__)
+        SC_ALLOW(__NR_flock),
+#endif
 #ifdef __NR_geteuid
         SC_ALLOW(__NR_geteuid),
 #endif
@@ -190,6 +193,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_getuid32
         SC_ALLOW(__NR_getuid32),
 #endif
+#if defined(__NR_ipc) && defined(__s390__)
+        SC_ALLOW(__NR_ipc),
+#endif
 #ifdef __NR_madvise
         SC_ALLOW(__NR_madvise),
 #endif