From 057d62d148428cf0411cf37d00feb8741e5a424c Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Tue, 9 May 2017 10:53:04 -0300 Subject: Allow flock and ipc syscall for s390 architecture In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 implementation) which calls the libraries that will communicate with the crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, this is only need on s390 architecture. Signed-off-by: Eduardo Barretto Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-flock-ipc.patch --- sandbox-seccomp-filter.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'sandbox-seccomp-filter.c') diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 2831e9d10..997b66ffa 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_exit_group SC_ALLOW(__NR_exit_group), #endif +#if defined(__NR_flock) && defined(__s390__) + SC_ALLOW(__NR_flock), +#endif #ifdef __NR_getpgid SC_ALLOW(__NR_getpgid), #endif @@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_gettimeofday SC_ALLOW(__NR_gettimeofday), #endif +#if defined(__NR_ipc) && defined(__s390__) + SC_ALLOW(__NR_ipc), +#endif #ifdef __NR_madvise SC_ALLOW(__NR_madvise), #endif -- cgit v1.2.3 From b2195f2116754f99fff8ceae026931be3aa3cd3b Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Tue, 9 May 2017 13:31:05 -0300 Subject: Allow getuid and geteuid calls getuid and geteuid are needed when using an openssl engine that calls a crypto card, e.g. ICA (libica). Those syscalls are also needed by the distros for audit code. Signed-off-by: Eduardo Barretto Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-getuid-geteuid.patch --- sandbox-seccomp-filter.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'sandbox-seccomp-filter.c') diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 997b66ffa..4cbaaa2e6 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_getpid SC_ALLOW(__NR_getpid), #endif +#ifdef __NR_getuid + SC_ALLOW(__NR_getuid), +#endif +#ifdef __NR_getuid32 + SC_ALLOW(__NR_getuid32), +#endif +#ifdef __NR_geteuid + SC_ALLOW(__NR_geteuid), +#endif +#ifdef __NR_geteuid32 + SC_ALLOW(__NR_geteuid32), +#endif #ifdef __NR_getrandom SC_ALLOW(__NR_getrandom), #endif -- cgit v1.2.3 From 375f99251da3754666750fe1ed63575ba909f397 Mon Sep 17 00:00:00 2001 From: Eduardo Barretto Date: Tue, 9 May 2017 13:33:30 -0300 Subject: Enable specific ioctl call for EP11 crypto card (s390) The EP11 crypto card needs to make an ioctl call, which receives an specific argument. This crypto card is for s390 only. Signed-off-by: Eduardo Barretto Origin: other, https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Bug-Ubuntu: https://bugs.launchpad.net/bugs/1686618 Last-Update: 2017-08-28 Patch-Name: seccomp-s390-ioctl-ep11-crypto.patch --- sandbox-seccomp-filter.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'sandbox-seccomp-filter.c') diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 4cbaaa2e6..3833424bf 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -249,6 +249,8 @@ static const struct sock_filter preauth_insns[] = { SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), + /* Allow ioctls for EP11 crypto card on s390 */ + SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB), #endif #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) /* -- cgit v1.2.3