[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
Damien Miller
djm at mindrot.org
Tue Mar 14 12:49:48 AEDT 2017
On Fri, 3 Mar 2017, Eduardo Barretto wrote:
> Just adding some more information on Petr answer (Thanks Petr for
> stepping in!):
>
> The ioctls for the s390 crypto card support are documented. The crypto
> device driver is part of the linux kernel and thus open source. It can be
> found in the kernel in drivers/s390/crypto. The ioctl stuff required to
> interact with the crypto device driver is as usual provided in the
> kernel header file arch/s390/include/uapi/asm/zcrypt.h
> In particular the defines for the ioctl magics intended to not
> get filtered can be found there.
ok, with the fixes for the seccomp-bpf sandbox that I just committed
the diff reduces to.
IMO this is scoped narrowly enough to go in.
-d
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index af5525ab..6ceee33f 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_socketcall
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
#endif
+#if defined(__NR_ioctl) && defined(__s390__)
+ /* Allow ioctls for ICA crypto card on s390 */
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
/* Default deny */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
More information about the openssh-unix-dev
mailing list