diff options
| author | Colin Watson <cjwatson@debian.org> | 2017-08-28 12:14:23 +0100 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2017-08-28 12:15:42 +0100 |
| commit | 305960d0d6d1d9bc0edc3393383fd5f60e69dec4 (patch) | |
| tree | c7d5abc0f998a53446e0a15524c08bfb93f9627b /debian/patches/seccomp-s390-flock-ipc.patch | |
| parent | e1c5c61f519b8ef0c210c7949789cfb33ad0cf13 (diff) | |
| parent | 375f99251da3754666750fe1ed63575ba909f397 (diff) | |
Apply patches from https://bugzilla.mindrot.org/show_bug.cgi?id=2752 to allow some extra syscalls for crypto cards on s390x (LP: #1686618).
Diffstat (limited to 'debian/patches/seccomp-s390-flock-ipc.patch')
| -rw-r--r-- | debian/patches/seccomp-s390-flock-ipc.patch | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch new file mode 100644 index 000000000..7b5ed1098 --- /dev/null +++ b/debian/patches/seccomp-s390-flock-ipc.patch | |||
| @@ -0,0 +1,47 @@ | |||
| 1 | From 057d62d148428cf0411cf37d00feb8741e5a424c Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
| 3 | Date: Tue, 9 May 2017 10:53:04 -0300 | ||
| 4 | Subject: Allow flock and ipc syscall for s390 architecture | ||
| 5 | |||
| 6 | In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock | ||
| 7 | and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 | ||
| 8 | implementation) which calls the libraries that will communicate with the | ||
| 9 | crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, | ||
| 10 | this is only need on s390 architecture. | ||
| 11 | |||
| 12 | Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
| 13 | |||
| 14 | Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
| 15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
| 16 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 | ||
| 17 | Last-Update: 2017-08-28 | ||
| 18 | |||
| 19 | Patch-Name: seccomp-s390-flock-ipc.patch | ||
| 20 | --- | ||
| 21 | sandbox-seccomp-filter.c | 6 ++++++ | ||
| 22 | 1 file changed, 6 insertions(+) | ||
| 23 | |||
| 24 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
| 25 | index 2831e9d1..997b66ff 100644 | ||
| 26 | --- a/sandbox-seccomp-filter.c | ||
| 27 | +++ b/sandbox-seccomp-filter.c | ||
| 28 | @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { | ||
| 29 | #ifdef __NR_exit_group | ||
| 30 | SC_ALLOW(__NR_exit_group), | ||
| 31 | #endif | ||
| 32 | +#if defined(__NR_flock) && defined(__s390__) | ||
| 33 | + SC_ALLOW(__NR_flock), | ||
| 34 | +#endif | ||
| 35 | #ifdef __NR_getpgid | ||
| 36 | SC_ALLOW(__NR_getpgid), | ||
| 37 | #endif | ||
| 38 | @@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { | ||
| 39 | #ifdef __NR_gettimeofday | ||
| 40 | SC_ALLOW(__NR_gettimeofday), | ||
| 41 | #endif | ||
| 42 | +#if defined(__NR_ipc) && defined(__s390__) | ||
| 43 | + SC_ALLOW(__NR_ipc), | ||
| 44 | +#endif | ||
| 45 | #ifdef __NR_madvise | ||
| 46 | SC_ALLOW(__NR_madvise), | ||
| 47 | #endif | ||