seccomp filter for ppc64le in FIPS mode

Jakub Jelen jjelen at redhat.com
Mon Apr 24 17:49:52 AEST 2017


Hello all,
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys 
in privsep child. The socket() syscall is already denied in the seccomp 
filter, but in ppc64le kernel, it is implemented using socketcall() 
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and 
therefore fails hard.

See attached patch with proposed patch (deny is intentionally after 
allowing the SYS_SHUTDOWN). Can we have it fixed in OpenSSH portable?

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-7.4p1-sandbox-ppc64le.patch
Type: text/x-patch
Size: 461 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170424/5e2171b0/attachment-0001.bin>


More information about the openssh-unix-dev mailing list