Damien Miller
2017-Mar-14 02:17 UTC
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
I've committed this diff. Please test and confirm that it works ok. (If not, then I've botched the macro fixes in the previous commit) Thanks, Damien Miller On Tue, 14 Mar 2017, Damien Miller wrote:> ok, with the fixes for the seccomp-bpf sandbox that I just committed > the diff reduces to. > > IMO this is scoped narrowly enough to go in. > > -d > > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c > index af5525ab..6ceee33f 100644 > --- a/sandbox-seccomp-filter.c > +++ b/sandbox-seccomp-filter.c > @@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = { > #ifdef __NR_socketcall > SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), > #endif > +#if defined(__NR_ioctl) && defined(__s390__) > + /* Allow ioctls for ICA crypto card on s390 */ > + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK), > + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO), > + SC_ALLOW_ARG(ioctl, 1, ICARSACRT), > +#endif /* defined(__NR_ioctl) && defined(__s390__) */ > > /* Default deny */ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
Jakub Jelen
2017-Mar-21 11:29 UTC
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
On 03/14/2017 03:17 AM, Damien Miller wrote:> I've committed this diff. Please test and confirm that it works ok. > (If not, then I've botched the macro fixes in the previous commit) > > Thanks, > Damien Miller > > On Tue, 14 Mar 2017, Damien Miller wrote: > >> ok, with the fixes for the seccomp-bpf sandbox that I just committed >> the diff reduces to. >> >> IMO this is scoped narrowly enough to go in. >> >> -d >> >> diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c >> index af5525ab..6ceee33f 100644 >> --- a/sandbox-seccomp-filter.c >> +++ b/sandbox-seccomp-filter.c >> @@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = { >> #ifdef __NR_socketcall >> SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), >> #endif >> +#if defined(__NR_ioctl) && defined(__s390__) >> + /* Allow ioctls for ICA crypto card on s390 */ >> + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK), >> + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO), >> + SC_ALLOW_ARG(ioctl, 1, ICARSACRT), >> +#endif /* defined(__NR_ioctl) && defined(__s390__) */ >> >> /* Default deny */ >> BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),Hello, this patch requires also the header files included, which was dropped from the initial proposal and breaks the build on s390x [1]. The missing constants should be defined in asm/zcrypt.h as mentioned in the original patch: #ifdef __s390__ #include <asm/zcrypt.h> #endif Please, add also this hunk. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1434341 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat
Damien Miller
2017-Mar-22 01:44 UTC
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
Committed to both master and the V_7_5 branch. Thanks, Damien On Tue, 21 Mar 2017, Jakub Jelen wrote:> On 03/14/2017 03:17 AM, Damien Miller wrote: > > I've committed this diff. Please test and confirm that it works ok. > > (If not, then I've botched the macro fixes in the previous commit) > > > > Thanks, > > Damien Miller > > > > On Tue, 14 Mar 2017, Damien Miller wrote: > > > > > ok, with the fixes for the seccomp-bpf sandbox that I just committed > > > the diff reduces to. > > > > > > IMO this is scoped narrowly enough to go in. > > > > > > -d > > > > > > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c > > > index af5525ab..6ceee33f 100644 > > > --- a/sandbox-seccomp-filter.c > > > +++ b/sandbox-seccomp-filter.c > > > @@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = { > > > #ifdef __NR_socketcall > > > SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), > > > #endif > > > +#if defined(__NR_ioctl) && defined(__s390__) > > > + /* Allow ioctls for ICA crypto card on s390 */ > > > + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK), > > > + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO), > > > + SC_ALLOW_ARG(ioctl, 1, ICARSACRT), > > > +#endif /* defined(__NR_ioctl) && defined(__s390__) */ > > > > > > /* Default deny */ > > > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > > Hello, > this patch requires also the header files included, which was dropped from the > initial proposal and breaks the build on s390x [1]. > > The missing constants should be defined in asm/zcrypt.h as mentioned in the > original patch: > > #ifdef __s390__ > #include <asm/zcrypt.h> > #endif > > Please, add also this hunk. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1434341 > > Regards, > -- > Jakub Jelen > Software Engineer > Security Technologies > Red Hat > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >