[PATCH] Enable specific ioctl calls for ICA crypto card (s390)

Eduardo Barretto ebarreto at linux.vnet.ibm.com
Wed Mar 1 00:47:57 AEDT 2017 

On 13-02-2017 13:23, Eduardo Barretto wrote:
> This patch enables specific ioctl calls for ICA crypto card on s390
> platform. Without this patch, users using the IBMCA engine are not able
> to perform ssh login as the filter blocks the communication with the
> crypto card.
> 
> Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com>
> Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
> ---
>  sandbox-seccomp-filter.c | 24 +++++++++++++++++++++---
>  1 file changed, 21 insertions(+), 3 deletions(-)
> 
> diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
> index 2e1ed2c..264e146 100644
> --- a/sandbox-seccomp-filter.c
> +++ b/sandbox-seccomp-filter.c
> @@ -59,6 +59,11 @@
>  #include <stdlib.h>
>  #include <string.h>
>  #include <unistd.h>
> +#include <endian.h>
> +
> +#ifdef __s390__
> +#include <asm/zcrypt.h>
> +#endif
> 
>  #include "log.h"
>  #include "ssh-sandbox.h"
> @@ -74,6 +79,13 @@
>  #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
> 
>  /* Simple helpers to avoid manual errors (but larger BPF programs). */
> +#if __BYTE_ORDER == __LITTLE_ENDIAN
> +#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)])
> +#elif __BYTE_ORDER == __BIG_ENDIAN
> +#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(_u32)
> +#else
> +#error "Unknown endianness"
> +#endif
>  #define SC_DENY(_nr, _errno) \
>  	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
>  	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
> @@ -82,9 +94,8 @@
>  	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
>  #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
>  	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
> -	/* load first syscall argument */ \
> -	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
> -	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
> +	/* load the syscall argument to check into accumulator */ \
> +	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \
>  	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
>  	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
>  	/* reload syscall number; all rules expect it in accumulator */ \
> @@ -207,6 +218,13 @@ static const struct sock_filter preauth_insns[] = {
>  #ifdef __NR_socketcall
>  	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
>  #endif
> +#ifdef __NR_ioctl
> +#ifdef __s390__
> +	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
> +	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
> +	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
> +#endif
> +#endif
> 
>  	/* Default deny */
>  	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
> 

Hi there,

Do you have any feedback on this patch?

Thanks,

Eduardo

More information about the openssh-unix-dev mailing list