Eduardo Barretto
2017-Feb-13 15:23 UTC
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
This patch enables specific ioctl calls for ICA crypto card on s390
platform. Without this patch, users using the IBMCA engine are not able
to perform ssh login as the filter blocks the communication with the
crypto card.
Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com>
Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com>
---
sandbox-seccomp-filter.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e1ed2c..264e146 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -59,6 +59,11 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <endian.h>
+
+#ifdef __s390__
+#include <asm/zcrypt.h>
+#endif
#include "log.h"
#include "ssh-sandbox.h"
@@ -74,6 +79,13 @@
#endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
/* Simple helpers to avoid manual errors (but larger BPF programs). */
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)])
+#elif __BYTE_ORDER == __BIG_ENDIAN
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(_u32)
+#else
+#error "Unknown endianness"
+#endif
#define SC_DENY(_nr, _errno) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
@@ -82,9 +94,8 @@
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
#define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
- /* load first syscall argument */ \
- BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
- offsetof(struct seccomp_data, args[(_arg_nr)])), \
+ /* load the syscall argument to check into accumulator */ \
+ BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
/* reload syscall number; all rules expect it in accumulator */ \
@@ -207,6 +218,13 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_socketcall
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
#endif
+#ifdef __NR_ioctl
+#ifdef __s390__
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+#endif
+#endif
/* Default deny */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
--
1.9.1
Eduardo Barretto
2017-Feb-28 13:47 UTC
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
On 13-02-2017 13:23, Eduardo Barretto wrote:> This patch enables specific ioctl calls for ICA crypto card on s390 > platform. Without this patch, users using the IBMCA engine are not able > to perform ssh login as the filter blocks the communication with the > crypto card. > > Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com> > Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> > --- > sandbox-seccomp-filter.c | 24 +++++++++++++++++++++--- > 1 file changed, 21 insertions(+), 3 deletions(-) > > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c > index 2e1ed2c..264e146 100644 > --- a/sandbox-seccomp-filter.c > +++ b/sandbox-seccomp-filter.c > @@ -59,6 +59,11 @@ > #include <stdlib.h> > #include <string.h> > #include <unistd.h> > +#include <endian.h> > + > +#ifdef __s390__ > +#include <asm/zcrypt.h> > +#endif > > #include "log.h" > #include "ssh-sandbox.h" > @@ -74,6 +79,13 @@ > #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ > > /* Simple helpers to avoid manual errors (but larger BPF programs). */ > +#if __BYTE_ORDER == __LITTLE_ENDIAN > +#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) > +#elif __BYTE_ORDER == __BIG_ENDIAN > +#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(_u32) > +#else > +#error "Unknown endianness" > +#endif > #define SC_DENY(_nr, _errno) \ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) > @@ -82,9 +94,8 @@ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) > #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \ > - /* load first syscall argument */ \ > - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ > - offsetof(struct seccomp_data, args[(_arg_nr)])), \ > + /* load the syscall argument to check into accumulator */ \ > + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ > /* reload syscall number; all rules expect it in accumulator */ \ > @@ -207,6 +218,13 @@ static const struct sock_filter preauth_insns[] = { > #ifdef __NR_socketcall > SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), > #endif > +#ifdef __NR_ioctl > +#ifdef __s390__ > + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK), > + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO), > + SC_ALLOW_ARG(ioctl, 1, ICARSACRT), > +#endif > +#endif > > /* Default deny */ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), >Hi there, Do you have any feedback on this patch? Thanks, Eduardo
Damien Miller
2017-Mar-02 04:32 UTC
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
On Tue, 28 Feb 2017, Eduardo Barretto wrote:> On 13-02-2017 13:23, Eduardo Barretto wrote: > > This patch enables specific ioctl calls for ICA crypto card on s390 > > platform. Without this patch, users using the IBMCA engine are not able > > to perform ssh login as the filter blocks the communication with the > > crypto card. > > > > Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com> > > Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> > > --- > > sandbox-seccomp-filter.c | 24 +++++++++++++++++++++--- > > 1 file changed, 21 insertions(+), 3 deletions(-) > > > > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c > > index 2e1ed2c..264e146 100644 > > --- a/sandbox-seccomp-filter.c > > +++ b/sandbox-seccomp-filter.c[snip]> Hi there, > > Do you have any feedback on this patch?It's hard to evaluate it without reference to some public documentation for the crypto card and the syscalls needed to use it. Is it a standard part of s390 machines or an option? Does it provide substantial benefit for the crypto used in the pre-auth stage of the protocol? (private key operations and DH/ECDH key agreement) -d