[PATCH] Enable specific ioctl calls for ICA crypto card (s390)

Damien Miller djm at mindrot.org
Wed Mar 22 12:44:30 AEDT 2017


Committed to both master and the V_7_5 branch.

Thanks,
Damien

On Tue, 21 Mar 2017, Jakub Jelen wrote:

> On 03/14/2017 03:17 AM, Damien Miller wrote:
> > I've committed this diff. Please test and confirm that it works ok.
> > (If not, then I've botched the macro fixes in the previous commit)
> > 
> > Thanks,
> > Damien Miller
> > 
> > On Tue, 14 Mar 2017, Damien Miller wrote:
> > 
> > > ok, with the fixes for the seccomp-bpf sandbox that I just committed
> > > the diff reduces to.
> > > 
> > > IMO this is scoped narrowly enough to go in.
> > > 
> > > -d
> > > 
> > > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
> > > index af5525ab..6ceee33f 100644
> > > --- a/sandbox-seccomp-filter.c
> > > +++ b/sandbox-seccomp-filter.c
> > > @@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
> > >  #ifdef __NR_socketcall
> > >  	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
> > >  #endif
> > > +#if defined(__NR_ioctl) && defined(__s390__)
> > > +	/* Allow ioctls for ICA crypto card on s390 */
> > > +	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
> > > +	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
> > > +	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
> > > +#endif /* defined(__NR_ioctl) && defined(__s390__) */
> > > 
> > >  	/* Default deny */
> > >  	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
> 
> Hello,
> this patch requires also the header files included, which was dropped from the
> initial proposal and breaks the build on s390x [1].
> 
> The missing constants should be defined in asm/zcrypt.h as mentioned in the
> original patch:
> 
> #ifdef __s390__
> #include <asm/zcrypt.h>
> #endif
> 
> Please, add also this hunk.
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1434341
> 
> Regards,
> -- 
> Jakub Jelen
> Software Engineer
> Security Technologies
> Red Hat
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 


More information about the openssh-unix-dev mailing list