[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
Jakub Jelen
jjelen at redhat.com
Tue Mar 21 22:29:57 AEDT 2017
On 03/14/2017 03:17 AM, Damien Miller wrote:
> I've committed this diff. Please test and confirm that it works ok.
> (If not, then I've botched the macro fixes in the previous commit)
>
> Thanks,
> Damien Miller
>
> On Tue, 14 Mar 2017, Damien Miller wrote:
>
>> ok, with the fixes for the seccomp-bpf sandbox that I just committed
>> the diff reduces to.
>>
>> IMO this is scoped narrowly enough to go in.
>>
>> -d
>>
>> diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
>> index af5525ab..6ceee33f 100644
>> --- a/sandbox-seccomp-filter.c
>> +++ b/sandbox-seccomp-filter.c
>> @@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
>> #ifdef __NR_socketcall
>> SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
>> #endif
>> +#if defined(__NR_ioctl) && defined(__s390__)
>> + /* Allow ioctls for ICA crypto card on s390 */
>> + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
>> + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
>> + SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
>> +#endif /* defined(__NR_ioctl) && defined(__s390__) */
>>
>> /* Default deny */
>> BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
Hello,
this patch requires also the header files included, which was dropped
from the initial proposal and breaks the build on s390x [1].
The missing constants should be defined in asm/zcrypt.h as mentioned in
the original patch:
#ifdef __s390__
#include <asm/zcrypt.h>
#endif
Please, add also this hunk.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1434341
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
More information about the openssh-unix-dev
mailing list