File openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls.patch of Package openssh.29886
From 881d6d4bb90dbe648d88d89426886686867570f1 Mon Sep 17 00:00:00 2001
From: Old openssh patches <pcerny@suse.com>
Date: Wed, 26 Oct 2022 09:57:47 +0200
Subject: [PATCH] openssh-7.2p2-s390_OpenSSL-ibmpkcs11_syscalls
# HG changeset patch
# Parent 998cbbaa1896b86db1e1bef17a2cac5cf4e1ca49
Date: Tue, 9 May 2017 14:27:34 -0300
[PATCH 0/3] Allow syscalls for openssl engines
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
To: openssh-unix-dev@mindrot.org
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.
The EP11 crypto card also needs to make an ioctl call, which receives an
specific argument.
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
related to bsc#1016709
---
sandbox-seccomp-filter.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 5e9f2f8b..ddbcac2d 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -155,6 +155,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_exit_group
SC_ALLOW(exit_group),
#endif
+#if defined(__NR_flock) && defined(__s390__)
+ SC_ALLOW(flock),
+#endif
#ifdef __NR_getpgid
SC_ALLOW(getpgid),
#endif
@@ -185,6 +188,9 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW(getuid32),
#endif
#endif
+#if defined(__NR_ipc) && defined(__s390__)
+ SC_ALLOW(ipc),
+#endif
#ifdef __NR_madvise
SC_ALLOW(madvise),
#endif
@@ -238,6 +244,8 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+ /* Allow ioctls for EP11 crypto card on s390 */
+ SC_ALLOW_ARG(ioctl, 1, ZSENDEP11CPRB),
#endif
#endif
--
2.38.0
