[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
Damien Miller
djm at mindrot.org
Tue Mar 14 13:17:26 AEDT 2017
I've committed this diff. Please test and confirm that it works ok.
(If not, then I've botched the macro fixes in the previous commit)
Thanks,
Damien Miller
On Tue, 14 Mar 2017, Damien Miller wrote:
> ok, with the fixes for the seccomp-bpf sandbox that I just committed
> the diff reduces to.
>
> IMO this is scoped narrowly enough to go in.
>
> -d
>
> diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
> index af5525ab..6ceee33f 100644
> --- a/sandbox-seccomp-filter.c
> +++ b/sandbox-seccomp-filter.c
> @@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
> #ifdef __NR_socketcall
> SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
> #endif
> +#if defined(__NR_ioctl) && defined(__s390__)
> + /* Allow ioctls for ICA crypto card on s390 */
> + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
> + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
> + SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
> +#endif /* defined(__NR_ioctl) && defined(__s390__) */
>
> /* Default deny */
> BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>
More information about the openssh-unix-dev
mailing list