diff options
author | Colin Watson <cjwatson@debian.org> | 2017-08-28 12:14:23 +0100 |
---|---|---|
committer | Colin Watson <cjwatson@debian.org> | 2017-08-28 12:15:42 +0100 |
commit | 305960d0d6d1d9bc0edc3393383fd5f60e69dec4 (patch) | |
tree | c7d5abc0f998a53446e0a15524c08bfb93f9627b /debian/patches | |
parent | e1c5c61f519b8ef0c210c7949789cfb33ad0cf13 (diff) | |
parent | 375f99251da3754666750fe1ed63575ba909f397 (diff) |
Apply patches from https://bugzilla.mindrot.org/show_bug.cgi?id=2752 to allow some extra syscalls for crypto cards on s390x (LP: #1686618).
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/auth-log-verbosity.patch | 7 | ||||
-rw-r--r-- | debian/patches/gssapi.patch | 23 | ||||
-rw-r--r-- | debian/patches/seccomp-getuid-geteuid.patch | 44 | ||||
-rw-r--r-- | debian/patches/seccomp-s390-flock-ipc.patch | 47 | ||||
-rw-r--r-- | debian/patches/seccomp-s390-ioctl-ep11-crypto.patch | 33 | ||||
-rw-r--r-- | debian/patches/series | 3 |
6 files changed, 142 insertions, 15 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 6b5653ca7..fb3855f9a 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch | |||
@@ -18,7 +18,7 @@ diff --git a/auth-options.c b/auth-options.c | |||
18 | index 57b49f7f..7eb87b35 100644 | 18 | index 57b49f7f..7eb87b35 100644 |
19 | --- a/auth-options.c | 19 | --- a/auth-options.c |
20 | +++ b/auth-options.c | 20 | +++ b/auth-options.c |
21 | @@ -59,9 +59,20 @@ int forced_tun_device = -1; | 21 | @@ -59,8 +59,19 @@ int forced_tun_device = -1; |
22 | /* "principals=" option. */ | 22 | /* "principals=" option. */ |
23 | char *authorized_principals = NULL; | 23 | char *authorized_principals = NULL; |
24 | 24 | ||
@@ -28,17 +28,16 @@ index 57b49f7f..7eb87b35 100644 | |||
28 | + | 28 | + |
29 | extern ServerOptions options; | 29 | extern ServerOptions options; |
30 | 30 | ||
31 | void | 31 | +void |
32 | +auth_start_parse_options(void) | 32 | +auth_start_parse_options(void) |
33 | +{ | 33 | +{ |
34 | + logged_from_hostip = 0; | 34 | + logged_from_hostip = 0; |
35 | + logged_cert_hostip = 0; | 35 | + logged_cert_hostip = 0; |
36 | +} | 36 | +} |
37 | + | 37 | + |
38 | +void | 38 | void |
39 | auth_clear_options(void) | 39 | auth_clear_options(void) |
40 | { | 40 | { |
41 | no_agent_forwarding_flag = 0; | ||
42 | @@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) | 41 | @@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) |
43 | /* FALLTHROUGH */ | 42 | /* FALLTHROUGH */ |
44 | case 0: | 43 | case 0: |
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index c74926dc6..deddbcb80 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch | |||
@@ -266,10 +266,11 @@ index 6ee6116d..c6390687 100644 | |||
266 | return 1; | 266 | return 1; |
267 | break; | 267 | break; |
268 | case PERMIT_FORCED_ONLY: | 268 | case PERMIT_FORCED_ONLY: |
269 | @@ -795,99 +796,6 @@ fakepw(void) | 269 | @@ -794,99 +795,6 @@ fakepw(void) |
270 | return (&fake); | ||
270 | } | 271 | } |
271 | 272 | ||
272 | /* | 273 | -/* |
273 | - * Returns the remote DNS hostname as a string. The returned string must not | 274 | - * Returns the remote DNS hostname as a string. The returned string must not |
274 | - * be freed. NB. this will usually trigger a DNS query the first time it is | 275 | - * be freed. NB. this will usually trigger a DNS query the first time it is |
275 | - * called. | 276 | - * called. |
@@ -362,10 +363,9 @@ index 6ee6116d..c6390687 100644 | |||
362 | - return strdup(name); | 363 | - return strdup(name); |
363 | -} | 364 | -} |
364 | - | 365 | - |
365 | -/* | 366 | /* |
366 | * Return the canonical name of the host in the other side of the current | 367 | * Return the canonical name of the host in the other side of the current |
367 | * connection. The host name is cached, so it is efficient to call this | 368 | * connection. The host name is cached, so it is efficient to call this |
368 | * several times. | ||
369 | diff --git a/auth2-gss.c b/auth2-gss.c | 369 | diff --git a/auth2-gss.c b/auth2-gss.c |
370 | index 1ca83577..3b5036df 100644 | 370 | index 1ca83577..3b5036df 100644 |
371 | --- a/auth2-gss.c | 371 | --- a/auth2-gss.c |
@@ -875,10 +875,11 @@ index 62559ed9..0b3ae073 100644 | |||
875 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, | 875 | GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, |
876 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); | 876 | 0, NULL, recv_tok, NULL, send_tok, flags, NULL); |
877 | 877 | ||
878 | @@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) | 878 | @@ -227,9 +382,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) |
879 | return (ctx->major); | ||
879 | } | 880 | } |
880 | 881 | ||
881 | OM_uint32 | 882 | +OM_uint32 |
882 | +ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) | 883 | +ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) |
883 | +{ | 884 | +{ |
884 | + gss_buffer_desc gssbuf; | 885 | + gss_buffer_desc gssbuf; |
@@ -909,7 +910,7 @@ index 62559ed9..0b3ae073 100644 | |||
909 | + return(ctx->major); | 910 | + return(ctx->major); |
910 | +} | 911 | +} |
911 | + | 912 | + |
912 | +OM_uint32 | 913 | OM_uint32 |
913 | ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) | 914 | ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) |
914 | { | 915 | { |
915 | + if (ctx == NULL) | 916 | + if (ctx == NULL) |
@@ -1199,10 +1200,11 @@ index 53993d67..2e27cbf9 100644 | |||
1199 | 1200 | ||
1200 | #ifdef KRB5 | 1201 | #ifdef KRB5 |
1201 | extern ssh_gssapi_mech gssapi_kerberos_mech; | 1202 | extern ssh_gssapi_mech gssapi_kerberos_mech; |
1202 | @@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) | 1203 | @@ -141,6 +146,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) |
1204 | return (ssh_gssapi_acquire_cred(*ctx)); | ||
1203 | } | 1205 | } |
1204 | 1206 | ||
1205 | /* Unprivileged */ | 1207 | +/* Unprivileged */ |
1206 | +char * | 1208 | +char * |
1207 | +ssh_gssapi_server_mechanisms(void) { | 1209 | +ssh_gssapi_server_mechanisms(void) { |
1208 | + if (supported_oids == NULL) | 1210 | + if (supported_oids == NULL) |
@@ -1224,10 +1226,9 @@ index 53993d67..2e27cbf9 100644 | |||
1224 | + return (res); | 1226 | + return (res); |
1225 | +} | 1227 | +} |
1226 | + | 1228 | + |
1227 | +/* Unprivileged */ | 1229 | /* Unprivileged */ |
1228 | void | 1230 | void |
1229 | ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1231 | ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1230 | { | ||
1231 | @@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) | 1232 | @@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) |
1232 | gss_OID_set supported; | 1233 | gss_OID_set supported; |
1233 | 1234 | ||
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch new file mode 100644 index 000000000..c829abaa9 --- /dev/null +++ b/debian/patches/seccomp-getuid-geteuid.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From b2195f2116754f99fff8ceae026931be3aa3cd3b Mon Sep 17 00:00:00 2001 | ||
2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
3 | Date: Tue, 9 May 2017 13:31:05 -0300 | ||
4 | Subject: Allow getuid and geteuid calls | ||
5 | |||
6 | getuid and geteuid are needed when using an openssl engine that calls a | ||
7 | crypto card, e.g. ICA (libica). | ||
8 | Those syscalls are also needed by the distros for audit code. | ||
9 | |||
10 | Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
11 | |||
12 | Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
13 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
14 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 | ||
15 | Last-Update: 2017-08-28 | ||
16 | |||
17 | Patch-Name: seccomp-getuid-geteuid.patch | ||
18 | --- | ||
19 | sandbox-seccomp-filter.c | 12 ++++++++++++ | ||
20 | 1 file changed, 12 insertions(+) | ||
21 | |||
22 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
23 | index 997b66ff..4cbaaa2e 100644 | ||
24 | --- a/sandbox-seccomp-filter.c | ||
25 | +++ b/sandbox-seccomp-filter.c | ||
26 | @@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { | ||
27 | #ifdef __NR_getpid | ||
28 | SC_ALLOW(__NR_getpid), | ||
29 | #endif | ||
30 | +#ifdef __NR_getuid | ||
31 | + SC_ALLOW(__NR_getuid), | ||
32 | +#endif | ||
33 | +#ifdef __NR_getuid32 | ||
34 | + SC_ALLOW(__NR_getuid32), | ||
35 | +#endif | ||
36 | +#ifdef __NR_geteuid | ||
37 | + SC_ALLOW(__NR_geteuid), | ||
38 | +#endif | ||
39 | +#ifdef __NR_geteuid32 | ||
40 | + SC_ALLOW(__NR_geteuid32), | ||
41 | +#endif | ||
42 | #ifdef __NR_getrandom | ||
43 | SC_ALLOW(__NR_getrandom), | ||
44 | #endif | ||
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch new file mode 100644 index 000000000..7b5ed1098 --- /dev/null +++ b/debian/patches/seccomp-s390-flock-ipc.patch | |||
@@ -0,0 +1,47 @@ | |||
1 | From 057d62d148428cf0411cf37d00feb8741e5a424c Mon Sep 17 00:00:00 2001 | ||
2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
3 | Date: Tue, 9 May 2017 10:53:04 -0300 | ||
4 | Subject: Allow flock and ipc syscall for s390 architecture | ||
5 | |||
6 | In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock | ||
7 | and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 | ||
8 | implementation) which calls the libraries that will communicate with the | ||
9 | crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, | ||
10 | this is only need on s390 architecture. | ||
11 | |||
12 | Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
13 | |||
14 | Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
15 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
16 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 | ||
17 | Last-Update: 2017-08-28 | ||
18 | |||
19 | Patch-Name: seccomp-s390-flock-ipc.patch | ||
20 | --- | ||
21 | sandbox-seccomp-filter.c | 6 ++++++ | ||
22 | 1 file changed, 6 insertions(+) | ||
23 | |||
24 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
25 | index 2831e9d1..997b66ff 100644 | ||
26 | --- a/sandbox-seccomp-filter.c | ||
27 | +++ b/sandbox-seccomp-filter.c | ||
28 | @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { | ||
29 | #ifdef __NR_exit_group | ||
30 | SC_ALLOW(__NR_exit_group), | ||
31 | #endif | ||
32 | +#if defined(__NR_flock) && defined(__s390__) | ||
33 | + SC_ALLOW(__NR_flock), | ||
34 | +#endif | ||
35 | #ifdef __NR_getpgid | ||
36 | SC_ALLOW(__NR_getpgid), | ||
37 | #endif | ||
38 | @@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { | ||
39 | #ifdef __NR_gettimeofday | ||
40 | SC_ALLOW(__NR_gettimeofday), | ||
41 | #endif | ||
42 | +#if defined(__NR_ipc) && defined(__s390__) | ||
43 | + SC_ALLOW(__NR_ipc), | ||
44 | +#endif | ||
45 | #ifdef __NR_madvise | ||
46 | SC_ALLOW(__NR_madvise), | ||
47 | #endif | ||
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch new file mode 100644 index 000000000..83997695e --- /dev/null +++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 375f99251da3754666750fe1ed63575ba909f397 Mon Sep 17 00:00:00 2001 | ||
2 | From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
3 | Date: Tue, 9 May 2017 13:33:30 -0300 | ||
4 | Subject: Enable specific ioctl call for EP11 crypto card (s390) | ||
5 | |||
6 | The EP11 crypto card needs to make an ioctl call, which receives an | ||
7 | specific argument. This crypto card is for s390 only. | ||
8 | |||
9 | Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com> | ||
10 | |||
11 | Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
12 | Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 | ||
13 | Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 | ||
14 | Last-Update: 2017-08-28 | ||
15 | |||
16 | Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch | ||
17 | --- | ||
18 | sandbox-seccomp-filter.c | 2 ++ | ||
19 | 1 file changed, 2 insertions(+) | ||
20 | |||
21 | diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c | ||
22 | index 4cbaaa2e..3833424b 100644 | ||
23 | --- a/sandbox-seccomp-filter.c | ||
24 | +++ b/sandbox-seccomp-filter.c | ||
25 | @@ -249,6 +249,8 @@ static const struct sock_filter preauth_insns[] = { | ||
26 | SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), | ||
27 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), | ||
28 | SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), | ||
29 | + /* Allow ioctls for EP11 crypto card on s390 */ | ||
30 | + SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB), | ||
31 | #endif | ||
32 | #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) | ||
33 | /* | ||
diff --git a/debian/patches/series b/debian/patches/series index a46f3a408..c9d79be6a 100644 --- a/debian/patches/series +++ b/debian/patches/series | |||
@@ -28,3 +28,6 @@ restore-authorized_keys2.patch | |||
28 | s390-missing-header.patch | 28 | s390-missing-header.patch |
29 | x32-syntax-error.patch | 29 | x32-syntax-error.patch |
30 | fix-incoming-compression-statistics.patch | 30 | fix-incoming-compression-statistics.patch |
31 | seccomp-s390-flock-ipc.patch | ||
32 | seccomp-getuid-geteuid.patch | ||
33 | seccomp-s390-ioctl-ep11-crypto.patch | ||