This patchset allow syscalls (flock, ipc, getuid, geteuid and ioctl), so openssl engines, e.g. OpenSSL-ibmca and OpenSSL-ibmpkcs11, can work and communicate with the crypto cards during ssh login. 1. The flock and ipc are allowed only for s390 architecture. They are needed for openCryptoki project (PKCS#11 implementation), as the ibmpkcs11 engine makes use of openCryptoki. For more information, please check here: https://sourceforge.net/projects/opencryptoki/ 2. getuid and geteuid are allowed to any architecture as this is also needed by the distros. libica and other crypto libraries use those syscalls. 3. The ioctl is allowed when an specific argument is passed. This argument is from EP11 crypto card on s390 architecture. For more information check here: http://elixir.free-electrons.com/linux/latest/source/arch/s390/include/uapi/asm/zcrypt.h#L259
Eduardo Barretto
2017-May-09 17:27 UTC
[PATCH 1/3] Allow flock and ipc syscall for s390 architecture
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 implementation) which calls the libraries that will communicate with the crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, this is only need on s390 architecture. Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> --- sandbox-seccomp-filter.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index ca75cc7..6e7de31 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_exit_group SC_ALLOW(__NR_exit_group), #endif +#if defined(__NR_flock) && defined(__s390__) + SC_ALLOW(__NR_flock), +#endif #ifdef __NR_getpgid SC_ALLOW(__NR_getpgid), #endif @@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_gettimeofday SC_ALLOW(__NR_gettimeofday), #endif +#if defined(__NR_ipc) && defined(__s390__) + SC_ALLOW(__NR_ipc), +#endif #ifdef __NR_madvise SC_ALLOW(__NR_madvise), #endif -- 1.9.1
getuid and geteuid are needed when using an openssl engine that calls a crypto card, e.g. ICA (libica). Those syscalls are also needed by the distros for audit code. Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> --- sandbox-seccomp-filter.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index 6e7de31..e86aa2c 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_getpid SC_ALLOW(__NR_getpid), #endif +#ifdef __NR_getuid + SC_ALLOW(__NR_getuid), +#endif +#ifdef __NR_getuid32 + SC_ALLOW(__NR_getuid32), +#endif +#ifdef __NR_geteuid + SC_ALLOW(__NR_geteuid), +#endif +#ifdef __NR_geteuid32 + SC_ALLOW(__NR_geteuid32), +#endif #ifdef __NR_getrandom SC_ALLOW(__NR_getrandom), #endif -- 1.9.1
Eduardo Barretto
2017-May-09 17:27 UTC
[PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390)
The EP11 crypto card needs to make an ioctl call, which receives an specific argument. This crypto card is for s390 only. Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> --- sandbox-seccomp-filter.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index e86aa2c..98062f1 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -250,6 +250,8 @@ static const struct sock_filter preauth_insns[] = { SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK), SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO), SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT), + /* Allow ioctls for EP11 crypto card on s390 */ + SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB), #endif #if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT) /* -- 1.9.1
On 09-05-2017 14:27, Eduardo Barretto wrote:> This patchset allow syscalls (flock, ipc, getuid, geteuid and ioctl), so > openssl engines, e.g. OpenSSL-ibmca and OpenSSL-ibmpkcs11, can work and > communicate with the crypto cards during ssh login. >Hi there, Is there any doubts or information that I can help with? Thanks, Eduardo
On Thu, May 18, 2017 at 10:17:50AM -0300, Eduardo Barretto wrote:> On 09-05-2017 14:27, Eduardo Barretto wrote: > > This patchset allow syscalls (flock, ipc, getuid, geteuid and ioctl), so > > openssl engines, e.g. OpenSSL-ibmca and OpenSSL-ibmpkcs11, can work and > > communicate with the crypto cards during ssh login. > > Hi there, > > Is there any doubts or information that I can help with?I'm also interested to know if anyone has had a chance to review this patch set, since Ubuntu is currently carrying a part of it in order to support hardware acceleration on s390x. It may be a good idea for you to turn this into a bug report on bugzilla.mindrot.org so that it doesn't get lost. -- Colin Watson [cjwatson at debian.org]
Reasonably Related Threads
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] seccomp: allow the getrandom system call.
- [Bug 2361] New: seccomp filter (not only) for aarch64