Hello all, OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys in privsep child. The socket() syscall is already denied in the seccomp filter, but in ppc64le kernel, it is implemented using socketcall() syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and therefore fails hard. See attached patch with proposed patch (deny is intentionally after allowing the SYS_SHUTDOWN). Can we have it fixed in OpenSSH portable? Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-7.4p1-sandbox-ppc64le.patch Type: text/x-patch Size: 461 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20170424/5e2171b0/attachment-0001.bin>
On Mon, Apr 24, 2017 at 5:49 PM, Jakub Jelen <jjelen at redhat.com> wrote:> [...] > See attached patch with proposed patch (deny is intentionally after > allowing the SYS_SHUTDOWN). Can we have it fixed in OpenSSH portable? >Applied, thanks, also cherry picked onto the 7.5 branch. The diff did not apply cleanly ("__NR_$syscall" vs "$syscall" so I hand-edited it. I don't have access to one of these systems to test so could you please confirm that I got it right? -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 04/24/2017 11:47 AM, Darren Tucker wrote:> On Mon, Apr 24, 2017 at 5:49 PM, Jakub Jelen <jjelen at redhat.com > <mailto:jjelen at redhat.com>> wrote: > > [...] > See attached patch with proposed patch (deny is intentionally after > allowing the SYS_SHUTDOWN). Can we have it fixed in OpenSSH portable? > > > Applied, thanks, also cherry picked onto the 7.5 branch. > > The diff did not apply cleanly ("__NR_$syscall" vs "$syscall" so I > hand-edited it. I don't have access to one of these systems to test so > could you please confirm that I got it right?If I see right, you put there two ss in socketcall [1] After fixing that it builds just fine with this line: + SC_DENY(__NR_socketcall, EACCES), [1] https://github.com/openssh/openssh-portable/commit/8b0eee14 Thanks, -- Jakub Jelen Software Engineer Security Technologies Red Hat
Reasonably Related Threads
- [Bug 2361] New: seccomp filter (not only) for aarch64
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [PATCH] Enable specific ioctl calls for ICA crypto card (s390)
- [Bug 2107] New: seccomp sandbox breaks GSSAPI