8 files changed, 146 insertions, 17 deletions
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 011e71d0a..c3f3645c9 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
 # see git-dpm(1) from git-dpm package
-cda04ac1f5c69710187e602043758063479c3c65
+375f99251da3754666750fe1ed63575ba909f397
-cda04ac1f5c69710187e602043758063479c3c65
+375f99251da3754666750fe1ed63575ba909f397
 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
 6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
 openssh_7.5p1.orig.tar.gz
diff --git a/debian/changelog b/debian/changelog
index ab93af357..6cae8eb74 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:7.5p1-8) UNRELEASED; urgency=medium
  * Drop openssh-client-ssh1, now built by a separate source package.
  * Run haveged during autopkgtests to ensure that they have enough entropy
    for key generation (LP: #1712921).
+  * Apply patches from https://bugzilla.mindrot.org/show_bug.cgi?id=2752 to
+    allow some extra syscalls for crypto cards on s390x (LP: #1686618).
 -- Colin Watson <cjwatson@debian.org>  Sun, 27 Aug 2017 23:24:58 +0100
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 6b5653ca7..fb3855f9a 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -18,7 +18,7 @@ diff --git a/auth-options.c b/auth-options.c
 index 57b49f7f..7eb87b35 100644
 --- a/auth-options.c
 +++ b/auth-options.c
-@@ -59,9 +59,20 @@ int forced_tun_device = -1;
+@@ -59,8 +59,19 @@ int forced_tun_device = -1;
 /* "principals=" option. */
 char *authorized_principals = NULL;
 
@@ -28,17 +28,16 @@ index 57b49f7f..7eb87b35 100644
 +
 extern ServerOptions options;
 
- void
+void
 +auth_start_parse_options(void)
 +{
 +       logged_from_hostip = 0;
 +       logged_cert_hostip = 0;
 +}
 +
-+void
+ void
 auth_clear_options(void)
 {
-        no_agent_forwarding_flag = 0;
 @@ -316,10 +327,13 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                                /* FALLTHROUGH */
                        case 0:
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index c74926dc6..deddbcb80 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -266,10 +266,11 @@ index 6ee6116d..c6390687 100644
                        return 1;
                break;
        case PERMIT_FORCED_ONLY:
-@@ -795,99 +796,6 @@ fakepw(void)
+@@ -794,99 +795,6 @@ fakepw(void)
+        return (&fake);
 }
 
- /*
+-/*
 - * Returns the remote DNS hostname as a string. The returned string must not
 - * be freed. NB. this will usually trigger a DNS query the first time it is
 - * called.
@@ -362,10 +363,9 @@ index 6ee6116d..c6390687 100644
 -       return strdup(name);
 -}
 -
-/*
+ /*
  * Return the canonical name of the host in the other side of the current
  * connection.  The host name is cached, so it is efficient to call this
-  * several times.
 diff --git a/auth2-gss.c b/auth2-gss.c
 index 1ca83577..3b5036df 100644
 --- a/auth2-gss.c
@@ -875,10 +875,11 @@ index 62559ed9..0b3ae073 100644
            GSS_C_MUTUAL_FLAG | GSS_C_INTEG_FLAG | deleg_flag,
            0, NULL, recv_tok, NULL, send_tok, flags, NULL);
 
-@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
+@@ -227,9 +382,43 @@ ssh_gssapi_import_name(Gssctxt *ctx, const char *host)
+        return (ctx->major);
 }
 
- OM_uint32
+OM_uint32
 +ssh_gssapi_client_identity(Gssctxt *ctx, const char *name)
 +{
 +       gss_buffer_desc gssbuf;
@@ -909,7 +910,7 @@ index 62559ed9..0b3ae073 100644
 +       return(ctx->major);
 +}
 +
-+OM_uint32
+ OM_uint32
 ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
 {
 +       if (ctx == NULL) 
@@ -1199,10 +1200,11 @@ index 53993d67..2e27cbf9 100644
 
 #ifdef KRB5
 extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+@@ -141,6 +146,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+        return (ssh_gssapi_acquire_cred(*ctx));
 }
 
- /* Unprivileged */
+/* Unprivileged */
 +char *
 +ssh_gssapi_server_mechanisms(void) {
 +       if (supported_oids == NULL)
@@ -1224,10 +1226,9 @@ index 53993d67..2e27cbf9 100644
 +       return (res);
 +}
 +
-+/* Unprivileged */
+ /* Unprivileged */
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
- {
 @@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
        gss_OID_set supported;
 
diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch
new file mode 100644
index 000000000..c829abaa9
--- /dev/null
+++ b/debian/patches/seccomp-getuid-geteuid.patch
@@ -0,0 +1,44 @@
+From b2195f2116754f99fff8ceae026931be3aa3cd3b Mon Sep 17 00:00:00 2001
+From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
+Date: Tue, 9 May 2017 13:31:05 -0300
+Subject: Allow getuid and geteuid calls
+getuid and geteuid are needed when using an openssl engine that calls a
+crypto card, e.g. ICA (libica).
+Those syscalls are also needed by the distros for audit code.
+Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
+Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
+Last-Update: 2017-08-28
+Patch-Name: seccomp-getuid-geteuid.patch
+---
+ sandbox-seccomp-filter.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 997b66ff..4cbaaa2e 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_getpid
+        SC_ALLOW(__NR_getpid),
+ #endif
+#ifdef __NR_getuid
+       SC_ALLOW(__NR_getuid),
+#endif
+#ifdef __NR_getuid32
+       SC_ALLOW(__NR_getuid32),
+#endif
+#ifdef __NR_geteuid
+       SC_ALLOW(__NR_geteuid),
+#endif
+#ifdef __NR_geteuid32
+       SC_ALLOW(__NR_geteuid32),
+#endif
+ #ifdef __NR_getrandom
+        SC_ALLOW(__NR_getrandom),
+ #endif
diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch
new file mode 100644
index 000000000..7b5ed1098
--- /dev/null
+++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -0,0 +1,47 @@
+From 057d62d148428cf0411cf37d00feb8741e5a424c Mon Sep 17 00:00:00 2001
+From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
+Date: Tue, 9 May 2017 10:53:04 -0300
+Subject: Allow flock and ipc syscall for s390 architecture
+In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
+and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
+implementation) which calls the libraries that will communicate with the
+crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
+this is only need on s390 architecture.
+Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
+Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
+Last-Update: 2017-08-28
+Patch-Name: seccomp-s390-flock-ipc.patch
+---
+ sandbox-seccomp-filter.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 2831e9d1..997b66ff 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_exit_group
+        SC_ALLOW(__NR_exit_group),
+ #endif
+#if defined(__NR_flock) && defined(__s390__)
+       SC_ALLOW(__NR_flock),
+#endif
+ #ifdef __NR_getpgid
+        SC_ALLOW(__NR_getpgid),
+ #endif
+@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
+ #ifdef __NR_gettimeofday
+        SC_ALLOW(__NR_gettimeofday),
+ #endif
+#if defined(__NR_ipc) && defined(__s390__)
+       SC_ALLOW(__NR_ipc),
+#endif
+ #ifdef __NR_madvise
+        SC_ALLOW(__NR_madvise),
+ #endif
diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
new file mode 100644
index 000000000..83997695e
--- /dev/null
+++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -0,0 +1,33 @@
+From 375f99251da3754666750fe1ed63575ba909f397 Mon Sep 17 00:00:00 2001
+From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
+Date: Tue, 9 May 2017 13:33:30 -0300
+Subject: Enable specific ioctl call for EP11 crypto card (s390)
+The EP11 crypto card needs to make an ioctl call, which receives an
+specific argument. This crypto card is for s390 only.
+Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
+Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
+Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
+Last-Update: 2017-08-28
+Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
+---
+ sandbox-seccomp-filter.c | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
+index 4cbaaa2e..3833424b 100644
+--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
+@@ -249,6 +249,8 @@ static const struct sock_filter preauth_insns[] = {
+        SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
+        SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
+        SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
+       /* Allow ioctls for EP11 crypto card on s390 */
+       SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
+ #endif
+ #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
+        /*
diff --git a/debian/patches/series b/debian/patches/series
index a46f3a408..c9d79be6a 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -28,3 +28,6 @@ restore-authorized_keys2.patch
 s390-missing-header.patch
 x32-syntax-error.patch
 fix-incoming-compression-statistics.patch
+seccomp-s390-flock-ipc.patch
+seccomp-getuid-geteuid.patch
+seccomp-s390-ioctl-ep11-crypto.patch

diff --git a/debian/.git-dpm b/debian/.git-dpm index 011e71d0a..c3f3645c9 100644 --- a/debian/.git-dpm +++ b/debian/.git-dpm
@@ -1,6 +1,6 @@
1	# see git-dpm(1) from git-dpm package	1	# see git-dpm(1) from git-dpm package
2	cda04ac1f5c69710187e602043758063479c3c65	2	375f99251da3754666750fe1ed63575ba909f397
3	cda04ac1f5c69710187e602043758063479c3c65	3	375f99251da3754666750fe1ed63575ba909f397
4	6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874	4	6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
5	6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874	5	6fabaf6fd9b07cc8bc6a17c9c4a5b76849cfc874
6	openssh_7.5p1.orig.tar.gz	6	openssh_7.5p1.orig.tar.gz


diff --git a/debian/changelog b/debian/changelog index ab93af357..6cae8eb74 100644 --- a/debian/changelog +++ b/debian/changelog
@@ -3,6 +3,8 @@ openssh (1:7.5p1-8) UNRELEASED; urgency=medium
3	* Drop openssh-client-ssh1, now built by a separate source package.	3	* Drop openssh-client-ssh1, now built by a separate source package.
4	* Run haveged during autopkgtests to ensure that they have enough entropy	4	* Run haveged during autopkgtests to ensure that they have enough entropy
5	for key generation (LP: #1712921).	5	for key generation (LP: #1712921).
		6	* Apply patches from https://bugzilla.mindrot.org/show_bug.cgi?id=2752 to
		7	allow some extra syscalls for crypto cards on s390x (LP: #1686618).
6		8
7	-- Colin Watson <cjwatson@debian.org> Sun, 27 Aug 2017 23:24:58 +0100	9	-- Colin Watson <cjwatson@debian.org> Sun, 27 Aug 2017 23:24:58 +0100
8		10


diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch index 6b5653ca7..fb3855f9a 100644 --- a/debian/patches/auth-log-verbosity.patch +++ b/debian/patches/auth-log-verbosity.patch
@@ -18,7 +18,7 @@ diff --git a/auth-options.c b/auth-options.c
18	index 57b49f7f..7eb87b35 100644	18	index 57b49f7f..7eb87b35 100644
19	--- a/auth-options.c	19	--- a/auth-options.c
20	+++ b/auth-options.c	20	+++ b/auth-options.c
21	@@ -59,9 +59,20 @@ int forced_tun_device = -1;	21	@@ -59,8 +59,19 @@ int forced_tun_device = -1;
22	/* "principals=" option. */	22	/* "principals=" option. */
23	char *authorized_principals = NULL;	23	char *authorized_principals = NULL;
24		24
@@ -28,17 +28,16 @@ index 57b49f7f..7eb87b35 100644
28	+	28	+
29	extern ServerOptions options;	29	extern ServerOptions options;
30		30
31	void	31	+void
32	+auth_start_parse_options(void)	32	+auth_start_parse_options(void)
33	+{	33	+{
34	+ logged_from_hostip = 0;	34	+ logged_from_hostip = 0;
35	+ logged_cert_hostip = 0;	35	+ logged_cert_hostip = 0;
36	+}	36	+}
37	+	37	+
38	+void	38	void
39	auth_clear_options(void)	39	auth_clear_options(void)
40	{	40	{
41	no_agent_forwarding_flag = 0;
42	@@ -316,10 +327,13 @@ auth_parse_options(struct passwd pw, char opts, char *file, u_long linenum)	41	@@ -316,10 +327,13 @@ auth_parse_options(struct passwd pw, char opts, char *file, u_long linenum)
43	/* FALLTHROUGH */	42	/* FALLTHROUGH */
44	case 0:	43	case 0:


diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch index c74926dc6..deddbcb80 100644 --- a/debian/patches/gssapi.patch +++ b/debian/patches/gssapi.patch
@@ -266,10 +266,11 @@ index 6ee6116d..c6390687 100644
266	return 1;	266	return 1;
267	break;	267	break;
268	case PERMIT_FORCED_ONLY:	268	case PERMIT_FORCED_ONLY:
269	@@ -795,99 +796,6 @@ fakepw(void)	269	@@ -794,99 +795,6 @@ fakepw(void)
		270	return (&fake);
270	}	271	}
271		272
272	/*	273	-/*
273	- * Returns the remote DNS hostname as a string. The returned string must not	274	- * Returns the remote DNS hostname as a string. The returned string must not
274	- * be freed. NB. this will usually trigger a DNS query the first time it is	275	- * be freed. NB. this will usually trigger a DNS query the first time it is
275	- * called.	276	- * called.
@@ -362,10 +363,9 @@ index 6ee6116d..c6390687 100644
362	- return strdup(name);	363	- return strdup(name);
363	-}	364	-}
364	-	365	-
365	-/*	366	/*
366	* Return the canonical name of the host in the other side of the current	367	* Return the canonical name of the host in the other side of the current
367	* connection. The host name is cached, so it is efficient to call this	368	* connection. The host name is cached, so it is efficient to call this
368	* several times.
369	diff --git a/auth2-gss.c b/auth2-gss.c	369	diff --git a/auth2-gss.c b/auth2-gss.c
370	index 1ca83577..3b5036df 100644	370	index 1ca83577..3b5036df 100644
371	--- a/auth2-gss.c	371	--- a/auth2-gss.c
@@ -875,10 +875,11 @@ index 62559ed9..0b3ae073 100644
875	GSS_C_MUTUAL_FLAG \| GSS_C_INTEG_FLAG \| deleg_flag,	875	GSS_C_MUTUAL_FLAG \| GSS_C_INTEG_FLAG \| deleg_flag,
876	0, NULL, recv_tok, NULL, send_tok, flags, NULL);	876	0, NULL, recv_tok, NULL, send_tok, flags, NULL);
877		877
878	@@ -228,8 +383,42 @@ ssh_gssapi_import_name(Gssctxt ctx, const char host)	878	@@ -227,9 +382,43 @@ ssh_gssapi_import_name(Gssctxt ctx, const char host)
		879	return (ctx->major);
879	}	880	}
880		881
881	OM_uint32	882	+OM_uint32
882	+ssh_gssapi_client_identity(Gssctxt ctx, const char name)	883	+ssh_gssapi_client_identity(Gssctxt ctx, const char name)
883	+{	884	+{
884	+ gss_buffer_desc gssbuf;	885	+ gss_buffer_desc gssbuf;
@@ -909,7 +910,7 @@ index 62559ed9..0b3ae073 100644
909	+ return(ctx->major);	910	+ return(ctx->major);
910	+}	911	+}
911	+	912	+
912	+OM_uint32	913	OM_uint32
913	ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)	914	ssh_gssapi_sign(Gssctxt *ctx, gss_buffer_t buffer, gss_buffer_t hash)
914	{	915	{
915	+ if (ctx == NULL)	916	+ if (ctx == NULL)
@@ -1199,10 +1200,11 @@ index 53993d67..2e27cbf9 100644
1199		1200
1200	#ifdef KRB5	1201	#ifdef KRB5
1201	extern ssh_gssapi_mech gssapi_kerberos_mech;	1202	extern ssh_gssapi_mech gssapi_kerberos_mech;
1202	@@ -142,6 +147,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)	1203	@@ -141,6 +146,28 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
		1204	return (ssh_gssapi_acquire_cred(*ctx));
1203	}	1205	}
1204		1206
1205	/* Unprivileged */	1207	+/* Unprivileged */
1206	+char *	1208	+char *
1207	+ssh_gssapi_server_mechanisms(void) {	1209	+ssh_gssapi_server_mechanisms(void) {
1208	+ if (supported_oids == NULL)	1210	+ if (supported_oids == NULL)
@@ -1224,10 +1226,9 @@ index 53993d67..2e27cbf9 100644
1224	+ return (res);	1226	+ return (res);
1225	+}	1227	+}
1226	+	1228	+
1227	+/* Unprivileged */	1229	/* Unprivileged */
1228	void	1230	void
1229	ssh_gssapi_supported_oids(gss_OID_set *oidset)	1231	ssh_gssapi_supported_oids(gss_OID_set *oidset)
1230	{
1231	@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)	1232	@@ -151,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
1232	gss_OID_set supported;	1233	gss_OID_set supported;
1233		1234


diff --git a/debian/patches/seccomp-getuid-geteuid.patch b/debian/patches/seccomp-getuid-geteuid.patch new file mode 100644 index 000000000..c829abaa9 --- /dev/null +++ b/debian/patches/seccomp-getuid-geteuid.patch
@@ -0,0 +1,44 @@
		1	From b2195f2116754f99fff8ceae026931be3aa3cd3b Mon Sep 17 00:00:00 2001
		2	From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
		3	Date: Tue, 9 May 2017 13:31:05 -0300
		4	Subject: Allow getuid and geteuid calls
		5
		6	getuid and geteuid are needed when using an openssl engine that calls a
		7	crypto card, e.g. ICA (libica).
		8	Those syscalls are also needed by the distros for audit code.
		9
		10	Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
		11
		12	Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
		13	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
		14	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
		15	Last-Update: 2017-08-28
		16
		17	Patch-Name: seccomp-getuid-geteuid.patch
		18	---
		19	sandbox-seccomp-filter.c \| 12 ++++++++++++
		20	1 file changed, 12 insertions(+)
		21
		22	diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
		23	index 997b66ff..4cbaaa2e 100644
		24	--- a/sandbox-seccomp-filter.c
		25	+++ b/sandbox-seccomp-filter.c
		26	@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
		27	#ifdef __NR_getpid
		28	SC_ALLOW(__NR_getpid),
		29	#endif
		30	+#ifdef __NR_getuid
		31	+ SC_ALLOW(__NR_getuid),
		32	+#endif
		33	+#ifdef __NR_getuid32
		34	+ SC_ALLOW(__NR_getuid32),
		35	+#endif
		36	+#ifdef __NR_geteuid
		37	+ SC_ALLOW(__NR_geteuid),
		38	+#endif
		39	+#ifdef __NR_geteuid32
		40	+ SC_ALLOW(__NR_geteuid32),
		41	+#endif
		42	#ifdef __NR_getrandom
		43	SC_ALLOW(__NR_getrandom),
		44	#endif


diff --git a/debian/patches/seccomp-s390-flock-ipc.patch b/debian/patches/seccomp-s390-flock-ipc.patch new file mode 100644 index 000000000..7b5ed1098 --- /dev/null +++ b/debian/patches/seccomp-s390-flock-ipc.patch
@@ -0,0 +1,47 @@
		1	From 057d62d148428cf0411cf37d00feb8741e5a424c Mon Sep 17 00:00:00 2001
		2	From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
		3	Date: Tue, 9 May 2017 10:53:04 -0300
		4	Subject: Allow flock and ipc syscall for s390 architecture
		5
		6	In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
		7	and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
		8	implementation) which calls the libraries that will communicate with the
		9	crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
		10	this is only need on s390 architecture.
		11
		12	Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
		13
		14	Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
		15	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
		16	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
		17	Last-Update: 2017-08-28
		18
		19	Patch-Name: seccomp-s390-flock-ipc.patch
		20	---
		21	sandbox-seccomp-filter.c \| 6 ++++++
		22	1 file changed, 6 insertions(+)
		23
		24	diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
		25	index 2831e9d1..997b66ff 100644
		26	--- a/sandbox-seccomp-filter.c
		27	+++ b/sandbox-seccomp-filter.c
		28	@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
		29	#ifdef __NR_exit_group
		30	SC_ALLOW(__NR_exit_group),
		31	#endif
		32	+#if defined(__NR_flock) && defined(__s390__)
		33	+ SC_ALLOW(__NR_flock),
		34	+#endif
		35	#ifdef __NR_getpgid
		36	SC_ALLOW(__NR_getpgid),
		37	#endif
		38	@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
		39	#ifdef __NR_gettimeofday
		40	SC_ALLOW(__NR_gettimeofday),
		41	#endif
		42	+#if defined(__NR_ipc) && defined(__s390__)
		43	+ SC_ALLOW(__NR_ipc),
		44	+#endif
		45	#ifdef __NR_madvise
		46	SC_ALLOW(__NR_madvise),
		47	#endif


diff --git a/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch new file mode 100644 index 000000000..83997695e --- /dev/null +++ b/debian/patches/seccomp-s390-ioctl-ep11-crypto.patch
@@ -0,0 +1,33 @@
		1	From 375f99251da3754666750fe1ed63575ba909f397 Mon Sep 17 00:00:00 2001
		2	From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
		3	Date: Tue, 9 May 2017 13:33:30 -0300
		4	Subject: Enable specific ioctl call for EP11 crypto card (s390)
		5
		6	The EP11 crypto card needs to make an ioctl call, which receives an
		7	specific argument. This crypto card is for s390 only.
		8
		9	Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
		10
		11	Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752
		12	Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752
		13	Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618
		14	Last-Update: 2017-08-28
		15
		16	Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch
		17	---
		18	sandbox-seccomp-filter.c \| 2 ++
		19	1 file changed, 2 insertions(+)
		20
		21	diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
		22	index 4cbaaa2e..3833424b 100644
		23	--- a/sandbox-seccomp-filter.c
		24	+++ b/sandbox-seccomp-filter.c
		25	@@ -249,6 +249,8 @@ static const struct sock_filter preauth_insns[] = {
		26	SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
		27	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
		28	SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
		29	+ /* Allow ioctls for EP11 crypto card on s390 */
		30	+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
		31	#endif
		32	#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
		33	/*


diff --git a/debian/patches/series b/debian/patches/series index a46f3a408..c9d79be6a 100644 --- a/debian/patches/series +++ b/debian/patches/series
@@ -28,3 +28,6 @@ restore-authorized_keys2.patch
28	s390-missing-header.patch	28	s390-missing-header.patch
29	x32-syntax-error.patch	29	x32-syntax-error.patch
30	fix-incoming-compression-statistics.patch	30	fix-incoming-compression-statistics.patch
		31	seccomp-s390-flock-ipc.patch
		32	seccomp-getuid-geteuid.patch
		33	seccomp-s390-ioctl-ep11-crypto.patch