You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
86 lines
2.5 KiB
86 lines
2.5 KiB
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock |
|
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 |
|
implementation) which calls the libraries that will communicate with the |
|
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, |
|
this is only need on s390 architecture. |
|
|
|
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx> |
|
--- |
|
sandbox-seccomp-filter.c | 6 ++++++ |
|
1 file changed, 6 insertions(+) |
|
|
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c |
|
index ca75cc7..6e7de31 100644 |
|
--- a/sandbox-seccomp-filter.c |
|
+++ b/sandbox-seccomp-filter.c |
|
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { |
|
#ifdef __NR_exit_group |
|
SC_ALLOW(__NR_exit_group), |
|
#endif |
|
+#if defined(__NR_flock) && defined(__s390__) |
|
+ SC_ALLOW(__NR_flock), |
|
+#endif |
|
#ifdef __NR_futex |
|
SC_ALLOW(__NR_futex), |
|
#endif |
|
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { |
|
#ifdef __NR_gettimeofday |
|
SC_ALLOW(__NR_gettimeofday), |
|
#endif |
|
+#if defined(__NR_ipc) && defined(__s390__) |
|
+ SC_ALLOW(__NR_ipc), |
|
+#endif |
|
#ifdef __NR_getuid |
|
SC_ALLOW(__NR_getuid), |
|
#endif |
|
-- |
|
1.9.1 |
|
|
|
getuid and geteuid are needed when using an openssl engine that calls a |
|
crypto card, e.g. ICA (libica). |
|
Those syscalls are also needed by the distros for audit code. |
|
|
|
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx> |
|
--- |
|
sandbox-seccomp-filter.c | 12 ++++++++++++ |
|
1 file changed, 12 insertions(+) |
|
|
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c |
|
index 6e7de31..e86aa2c 100644 |
|
--- a/sandbox-seccomp-filter.c |
|
+++ b/sandbox-seccomp-filter.c |
|
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { |
|
#ifdef __NR_getpid |
|
SC_ALLOW(__NR_getpid), |
|
#endif |
|
+#ifdef __NR_getuid |
|
+ SC_ALLOW(__NR_getuid), |
|
+#endif |
|
+#ifdef __NR_getuid32 |
|
+ SC_ALLOW(__NR_getuid32), |
|
+#endif |
|
+#ifdef __NR_geteuid |
|
+ SC_ALLOW(__NR_geteuid), |
|
+#endif |
|
+#ifdef __NR_geteuid32 |
|
+ SC_ALLOW(__NR_geteuid32), |
|
+#endif |
|
#ifdef __NR_getrandom |
|
SC_ALLOW(__NR_getrandom), |
|
#endif |
|
-- 1.9.1 |
|
1.9.1 |
|
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c |
|
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100 |
|
+++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100 |
|
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_ |
|
#ifdef __NR_geteuid32 |
|
SC_ALLOW(__NR_geteuid32), |
|
#endif |
|
+#ifdef __NR_gettid |
|
+ SC_ALLOW(__NR_gettid), |
|
+#endif |
|
#ifdef __NR_getrandom |
|
SC_ALLOW(__NR_getrandom), |
|
#endif |
|
|
|
|