summaryrefslogtreecommitdiff
path: root/debian/patches
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2017-08-28 12:14:23 +0100
committerColin Watson <cjwatson@debian.org>2017-08-28 12:15:42 +0100
commit305960d0d6d1d9bc0edc3393383fd5f60e69dec4 (patch)
treec7d5abc0f998a53446e0a15524c08bfb93f9627b /debian/patches
parente1c5c61f519b8ef0c210c7949789cfb33ad0cf13 (diff)
parent375f99251da3754666750fe1ed63575ba909f397 (diff)
Apply patches from https://bugzilla.mindrot.org/show_bug.cgi?id=2752 to allow some extra syscalls for crypto cards on s390x (LP: #1686618).
Diffstat (limited to 'debian/patches')
-rw-r--r--debian/patches/auth-log-verbosity.patch7
-rw-r--r--debian/patches/gssapi.patch23
-rw-r--r--debian/patches/seccomp-getuid-geteuid.patch44
-rw-r--r--debian/patches/seccomp-s390-flock-ipc.patch47
-rw-r--r--debian/patches/seccomp-s390-ioctl-ep11-crypto.patch33
-rw-r--r--debian/patches/series3
6 files changed, 142 insertions, 15 deletions
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 6b5653ca7..fb3855f9a 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -18,7 +18,7 @@ diff --git a/auth-options.c b/auth-options.c
18index 57b49f7f..7eb87b35 100644 18index 57b49f7f..7eb87b35 100644
19--- a/auth-options.c 19--- a/auth-options.c
20+++ b/auth-options.c 20+++ b/auth-options.c
21@@ -59,9 +59,20 @@ int forced_tun_device = -1; 21@@ -59,8 +59,19 @@ int forced_tun_device = -1;
22 /* "principals=" option. */ 22 /* "principals=" option. */
23 char *authorized_principals = NULL; 23 char *authorized_principals = NULL;
24 24
@@ -28,17 +28,16 @@ index 57b49f7f..7eb87b35 100644
28+ 28+
29 extern ServerOptions options; 29 extern ServerOptions options;
30 30
31 void 31+void
32+auth_start_parse_options(void) 32+auth_start_parse_options(void)
33+{ 33+{
34+ logged_from_hostip = 0; 34+ logged_from_hostip = 0;
35+ logged_cert_hostip = 0; 35+ logged_cert_hostip = 0;
36+} 36+}
37+ 37+
38+void 38 void
39 auth_clear_options(void) 39 auth_clear_options(void)
40 { 40 {
41 no_agent_forwarding_flag = 0;
42@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum) 41@@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
43 /* FALLTHROUGH */ 42 /* FALLTHROUGH */
44 case 0: 43 case 0:
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index c74926dc6..deddbcb80 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -266,10 +266,11 @@ index 6ee6116d..c6390687 100644
266 return 1; 266 return 1;
267 break; 267 break;
268 case PERMIT_FORCED_ONLY: 268 case PERMIT_FORCED_ONLY:
269@@ -795,99 +796,6 @@ fakepw(void) 269@@ -794,99 +795,6 @@ fakepw(void)
270 return (&fake);
270 } 271 }
271 272
272 /* 273-/*
273- * Returns the remote DNS hostname as a string. The returned string must not 274- * Returns the remote DNS hostname as a string. The returned string must not
274- * be freed. NB. this will usually trigger a DNS query the first time it is 275- * be freed. NB. this will usually trigger a DNS query the first time it is
275- * called. 276- * called.
@@ -362,10 +363,9 @@ index 6ee6116d..c6390687 100644
362- return strdup(name); 363- return strdup(name);
363-} 364-}
364- 365-
365-/* 366 /*
366 * Return the canonical name of the host in the other side of the current 367 * Return the canonical name of the host in the other side of the current
367 * connection. The host name is cached, so it is efficient to call this 368 * connection. The host name is cached, so it is efficient to call this
368 * several times.
369diff --git a/auth2-gss.c b/auth2-gss.c 369diff --git a/auth2-gss.c b/auth2-gss.c
370index 1ca83577..3b5036df 100644 370index 1ca83577..3b5036df 100644
371--- a/auth2-gss.c 371--- a/auth2-gss.c
@@ -875,10 +875,11 @@ index 62559ed9..0b3ae073 100644
875 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag, 875 GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
876 0, NULL, recv_tok, NULL, send_tok, flags, NULL); 876 0, NULL, recv_tok, NULL, send_tok, flags, NULL);
877 877
878@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host) 878@@ -227,9 +382,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
879 return (ctx->major);
879 } 880 }
880 881
881 OM_uint32 882+OM_uint32
882+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name) 883+ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
883+{ 884+{
884+ gss_buffer_desc gssbuf; 885+ gss_buffer_desc gssbuf;
@@ -909,7 +910,7 @@ index 62559ed9..0b3ae073 100644
909+ return(ctx->major); 910+ return(ctx->major);
910+} 911+}
911+ 912+
912+OM_uint32 913 OM_uint32
913 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash) 914 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
914 { 915 {
915+ if (ctx == NULL) 916+ if (ctx == NULL)
@@ -1199,10 +1200,11 @@ index 53993d67..2e27cbf9 100644
1199 1200
1200 #ifdef KRB5 1201 #ifdef KRB5
1201 extern ssh_gssapi_mech gssapi_kerberos_mech; 1202 extern ssh_gssapi_mech gssapi_kerberos_mech;
1202@@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) 1203@@ -141,6 +146,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
1204 return (ssh_gssapi_acquire_cred(*ctx));
1203 } 1205 }
1204 1206
1205 /* Unprivileged */ 1207+/* Unprivileged */
1206+char * 1208+char *
1207+ssh_gssapi_server_mechanisms(void) { 1209+ssh_gssapi_server_mechanisms(void) {
1208+ if (supported_oids == NULL) 1210+ if (supported_oids == NULL)
@@ -1224,10 +1226,9 @@ index 53993d67..2e27cbf9 100644
1224+ return (res); 1226+ return (res);
1225+} 1227+}
1226+ 1228+
1227+/* Unprivileged */ 1229 /* Unprivileged */
1228 void 1230 void
1229 ssh_gssapi_supported_oids(gss_OID_set *oidset) 1231 ssh_gssapi_supported_oids(gss_OID_set *oidset)
1230 {
1231@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset) 1232@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1232 gss_OID_set supported; 1233 gss_OID_set supported;
1233 1234
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch
new file mode 100644
index 000000000..c829abaa9
--- /dev/null
+++ b/debian/patches/seccomp-getuid-geteuid.patch
@@ -0,0 +1,44 @@
1From b2195f2116754f99fff8ceae026931be3aa3cd3b Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:31:05 -0300
4Subject: Allow getuid and geteuid calls
5
6getuid and geteuid are needed when using an openssl engine that calls a
7crypto card, e.g. ICA (libica).
8Those syscalls are also needed by the distros for audit code.
9
10Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
11
12Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
13Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
14Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
15Last-Update: 2017-08-28
16
17Patch-Name: seccomp-getuid-geteuid.patch
18---
19 sandbox-seccomp-filter.c | 12 ++++++++++++
20 1 file changed, 12 insertions(+)
21
22diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
23index 997b66ff..4cbaaa2e 100644
24--- a/sandbox-seccomp-filter.c
25+++ b/sandbox-seccomp-filter.c
26@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
27 #ifdef __NR_getpid
28 SC_ALLOW(__NR_getpid),
29 #endif
30+#ifdef __NR_getuid
31+ SC_ALLOW(__NR_getuid),
32+#endif
33+#ifdef __NR_getuid32
34+ SC_ALLOW(__NR_getuid32),
35+#endif
36+#ifdef __NR_geteuid
37+ SC_ALLOW(__NR_geteuid),
38+#endif
39+#ifdef __NR_geteuid32
40+ SC_ALLOW(__NR_geteuid32),
41+#endif
42 #ifdef __NR_getrandom
43 SC_ALLOW(__NR_getrandom),
44 #endif
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
new file mode 100644
index 000000000..7b5ed1098
--- /dev/null
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -0,0 +1,47 @@
1From 057d62d148428cf0411cf37d00feb8741e5a424c Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 10:53:04 -0300
4Subject: Allow flock and ipc syscall for s390 architecture
5
6In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
7and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
8implementation) which calls the libraries that will communicate with the
9crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
10this is only need on s390 architecture.
11
12Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
13
14Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
15Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
16Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
17Last-Update: 2017-08-28
18
19Patch-Name: seccomp-s390-flock-ipc.patch
20---
21 sandbox-seccomp-filter.c | 6 ++++++
22 1 file changed, 6 insertions(+)
23
24diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
25index 2831e9d1..997b66ff 100644
26--- a/sandbox-seccomp-filter.c
27+++ b/sandbox-seccomp-filter.c
28@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
29 #ifdef __NR_exit_group
30 SC_ALLOW(__NR_exit_group),
31 #endif
32+#if defined(__NR_flock) && defined(__s390__)
33+ SC_ALLOW(__NR_flock),
34+#endif
35 #ifdef __NR_getpgid
36 SC_ALLOW(__NR_getpgid),
37 #endif
38@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
39 #ifdef __NR_gettimeofday
40 SC_ALLOW(__NR_gettimeofday),
41 #endif
42+#if defined(__NR_ipc) && defined(__s390__)
43+ SC_ALLOW(__NR_ipc),
44+#endif
45 #ifdef __NR_madvise
46 SC_ALLOW(__NR_madvise),
47 #endif
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
new file mode 100644
index 000000000..83997695e
--- /dev/null
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -0,0 +1,33 @@
1From 375f99251da3754666750fe1ed63575ba909f397 Mon Sep 17 00:00:00 2001
2From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
3Date: Tue, 9 May 2017 13:33:30 -0300
4Subject: Enable specific ioctl call for EP11 crypto card (s390)
5
6The EP11 crypto card needs to make an ioctl call, which receives an
7specific argument. This crypto card is for s390 only.
8
9Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
10
11Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
12Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
13Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
14Last-Update: 2017-08-28
15
16Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
17---
18 sandbox-seccomp-filter.c | 2 ++
19 1 file changed, 2 insertions(+)
20
21diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
22index 4cbaaa2e..3833424b 100644
23--- a/sandbox-seccomp-filter.c
24+++ b/sandbox-seccomp-filter.c
25@@ -249,6 +249,8 @@ static const struct sock_filter preauth_insns[] = {
26 SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
27 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
28 SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
29+ /* Allow ioctls for EP11 crypto card on s390 */
30+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
31 #endif
32 #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
33 /*
diff --git a/debian/patches/series b/debian/patches/series
index a46f3a408..c9d79be6a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,6 @@ restore-authorized_keys2.patch
28s390-missing-header.patch 28s390-missing-header.patch
29x32-syntax-error.patch 29x32-syntax-error.patch
30fix-incoming-compression-statistics.patch 30fix-incoming-compression-statistics.patch
31seccomp-s390-flock-ipc.patch
32seccomp-getuid-geteuid.patch
33seccomp-s390-ioctl-ep11-crypto.patch