File openssh-7.2p2-s390_hw_crypto_syscalls.patch of Package openssh.29886

From bb6c6c8172d85408e954d682ad725f6c18f4f5a0 Mon Sep 17 00:00:00 2001
From: Old openssh patches <pcerny@suse.com>
Date: Wed, 26 Oct 2022 09:57:40 +0200
Subject: [PATCH] openssh-7.2p2-s390_hw_crypto_syscalls

# HG changeset patch
# Parent  48ddb16e62c17bad25e33b0839139124ce10bf15
This patch enables specific ioctl calls for ICA crypto card on s390
platform. Without this patch, users using the IBMCA engine are not able
to perform ssh login as the filter blocks the communication with the
crypto card.

Signed-off-by: Harald Freudenberger <freude@linux.vnet.ibm.com>
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>

bsc#1016709

Upstreamed as:
5f1596e11d55539678c41f68aed358628d33d86f
58b8cfa2a062b72139d7229ae8de567f55776f24
---
 sandbox-seccomp-filter.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 0830e4a2..5e9f2f8b 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -59,6 +59,11 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <endian.h>
+
+#ifdef __s390__
+#include <asm/zcrypt.h>
+#endif
 
 #include "log.h"
 #include "ssh-sandbox.h"
@@ -74,6 +79,13 @@
 #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
 
 /* Simple helpers to avoid manual errors (but larger BPF programs). */
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)])
+#elif __BYTE_ORDER == __BIG_ENDIAN
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(uint32_t)
+#else
+#error "Unknown endianness"
+#endif
 #define SC_DENY(_nr, _errno) \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
@@ -82,9 +94,8 @@
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
-	/* load first syscall argument */ \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
-	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
+	/* load the syscall argument to check into accumulator */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
 	/* reload syscall number; all rules expect it in accumulator */ \
@@ -221,6 +232,13 @@ static const struct sock_filter preauth_insns[] = {
 #endif
 #ifdef __NR_socketcall
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
+#endif
+#ifdef __NR_ioctl
+#ifdef __s390__
+	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+#endif
 #endif
 
 	/* Default deny */
-- 
2.38.0