File openssh-7.2p2-allow-s390-specific-ioctl-for-ecc-hardware-support.patch of Package openssh.37539

From 9a03609f71888f4db749010009ab67d6684ee167 Mon Sep 17 00:00:00 2001
From: GONG Jie <jgong@suse.com>
Date: Thu, 30 May 2024 11:56:40 +0800
Subject: [PATCH] allow s390 specific ioctl for ecc hardware support

Adding another s390 specific ioctl to be able to support ECC hardware
acceleration to the sandbox seccomp filter rules.

Now the ibmca openssl engine provides elliptic curve cryptography
support with the help of libica and CCA crypto cards. This is done via
jet another ioctl call to the zcrypt device driver and so there is a
need to enable this on the openssl sandbox.

Code is s390 specific and has been tested, verified and reviewed.
Please note that I am also the originator of the previous changes in
that area.  I posted these changes to Eduardo and he forwarded the
patches to the openssl community.

Backport from b3a77b25e5f7880222b179431a74fad76d2cf60c
---
 sandbox-seccomp-filter.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index cf03889..3fc83a4 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -235,6 +235,7 @@ static const struct sock_filter preauth_insns[] = {
 	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
 	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
 	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+	SC_ALLOW_ARG(ioctl, 1, ZSECSENDCPRB),
 	/* Allow ioctls for EP11 crypto card on s390 */
 	SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
 #endif