This patchset allow syscalls (flock, ipc, getuid, geteuid and ioctl), so openssl engines, e.g. OpenSSL-ibmca and OpenSSL-ibmpkcs11, can work and communicate with the crypto cards during ssh login. 1. The flock and ipc are allowed only for s390 architecture. They are needed for openCryptoki project (PKCS#11 implementation), as the ibmpkcs11 engine makes use of openCryptoki. For more information, please check here: https://sourceforge.net/projects/opencryptoki/ 2. getuid and geteuid are allowed to any architecture as this is also needed by the distros. libica and other crypto libraries use those syscalls. 3. The ioctl is allowed when an specific argument is passed. This argument is from EP11 crypto card on s390 architecture. For more information check here: http://elixir.free-electrons.com/linux/latest/source/arch/s390/include/uapi/asm/zcrypt.h#L259
Eduardo Barretto
2017-May-09 17:27 UTC
[PATCH 1/3] Allow flock and ipc syscall for s390 architecture
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
---
sandbox-seccomp-filter.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index ca75cc7..6e7de31 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_exit_group
SC_ALLOW(__NR_exit_group),
#endif
+#if defined(__NR_flock) && defined(__s390__)
+ SC_ALLOW(__NR_flock),
+#endif
#ifdef __NR_getpgid
SC_ALLOW(__NR_getpgid),
#endif
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_gettimeofday
SC_ALLOW(__NR_gettimeofday),
#endif
+#if defined(__NR_ipc) && defined(__s390__)
+ SC_ALLOW(__NR_ipc),
+#endif
#ifdef __NR_madvise
SC_ALLOW(__NR_madvise),
#endif
--
1.9.1
getuid and geteuid are needed when using an openssl engine that calls a
crypto card, e.g. ICA (libica).
Those syscalls are also needed by the distros for audit code.
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
---
sandbox-seccomp-filter.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 6e7de31..e86aa2c 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_getpid
SC_ALLOW(__NR_getpid),
#endif
+#ifdef __NR_getuid
+ SC_ALLOW(__NR_getuid),
+#endif
+#ifdef __NR_getuid32
+ SC_ALLOW(__NR_getuid32),
+#endif
+#ifdef __NR_geteuid
+ SC_ALLOW(__NR_geteuid),
+#endif
+#ifdef __NR_geteuid32
+ SC_ALLOW(__NR_geteuid32),
+#endif
#ifdef __NR_getrandom
SC_ALLOW(__NR_getrandom),
#endif
--
1.9.1
Eduardo Barretto
2017-May-09 17:27 UTC
[PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390)
The EP11 crypto card needs to make an ioctl call, which receives an
specific argument. This crypto card is for s390 only.
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
---
sandbox-seccomp-filter.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index e86aa2c..98062f1 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = {
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
+ /* Allow ioctls for EP11 crypto card on s390 */
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
#endif
#if defined(__x86_64__) && defined(__ILP32__) &&
defined(__X32_SYSCALL_BIT)
/*
--
1.9.1
On 09-05-2017 14:27, Eduardo Barretto wrote:> This patchset allow syscalls (flock, ipc, getuid, geteuid and ioctl), so > openssl engines, e.g. OpenSSL-ibmca and OpenSSL-ibmpkcs11, can work and > communicate with the crypto cards during ssh login. >Hi there, Is there any doubts or information that I can help with? Thanks, Eduardo
On Thu, May 18, 2017 at 10:17:50AM -0300, Eduardo Barretto wrote:> On 09-05-2017 14:27, Eduardo Barretto wrote: > > This patchset allow syscalls (flock, ipc, getuid, geteuid and ioctl), so > > openssl engines, e.g. OpenSSL-ibmca and OpenSSL-ibmpkcs11, can work and > > communicate with the crypto cards during ssh login. > > Hi there, > > Is there any doubts or information that I can help with?I'm also interested to know if anyone has had a chance to review this patch set, since Ubuntu is currently carrying a part of it in order to support hardware acceleration on s390x. It may be a good idea for you to turn this into a bug report on bugzilla.mindrot.org so that it doesn't get lost. -- Colin Watson [cjwatson at debian.org]
Apparently Analagous Threads
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] seccomp: allow the getrandom system call.
- [Bug 2361] New: seccomp filter (not only) for aarch64