Displaying 7 results from an estimated 7 matches for "sys_shutdown".
2017 Apr 24
2
seccomp filter for ppc64le in FIPS mode
Hello all,
OpenSSL is using socket() calls (in FIPS mode) when handling ECDSA keys
in privsep child. The socket() syscall is already denied in the seccomp
filter, but in ppc64le kernel, it is implemented using socketcall()
syscall, which is not denied yet (only SYS_SHUTDOWN is allowed) and
therefore fails hard.
See attached patch with proposed patch (deny is intentionally after
allowing the SYS_SHUTDOWN). Can we have it fixed in OpenSSH portable?
Regards,
--
Jakub Jelen
Software Engineer
Security Technologies
Red Hat
-------------- next part --------------
A non-...
2017 Mar 14
2
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
...dbox-seccomp-filter.c b/sandbox-seccomp-filter.c
> index af5525ab..6ceee33f 100644
> --- a/sandbox-seccomp-filter.c
> +++ b/sandbox-seccomp-filter.c
> @@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
> #ifdef __NR_socketcall
> SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
> #endif
> +#if defined(__NR_ioctl) && defined(__s390__)
> + /* Allow ioctls for ICA crypto card on s390 */
> + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
> + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
> + SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
> +#endif /* defined(__NR_io...
2016 Jan 06
0
[klibc:master] Remove sys/socketcalls.h
...R 8 /* sys_socketpair(2) */
-#define SYS_SEND 9 /* sys_send(2) */
-#define SYS_RECV 10 /* sys_recv(2) */
-#define SYS_SENDTO 11 /* sys_sendto(2) */
-#define SYS_RECVFROM 12 /* sys_recvfrom(2) */
-#define SYS_SHUTDOWN 13 /* sys_shutdown(2) */
-#define SYS_SETSOCKOPT 14 /* sys_setsockopt(2) */
-#define SYS_GETSOCKOPT 15 /* sys_getsockopt(2) */
-#define SYS_SENDMSG 16 /* sys_sendmsg(2) */
-#define SYS_RECVMSG 17 /* sys_recvmsg(2) */
-
-#en...
2017 Feb 13
2
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
...\
BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
/* reload syscall number; all rules expect it in accumulator */ \
@@ -207,6 +218,13 @@ static const struct sock_filter preauth_insns[] = {
#ifdef __NR_socketcall
SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
#endif
+#ifdef __NR_ioctl
+#ifdef __s390__
+ SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+ SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+ SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+#endif
+#endif
/* Default deny */
BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
--
1.9.1
2017 Mar 03
2
[PATCH] Enable specific ioctl calls for ICA crypto card (s390)
On 03-03-2017 09:54, Petr Cerny wrote:
> Damien Miller wrote:
>> On Tue, 28 Feb 2017, Eduardo Barretto wrote:
>>
>>> On 13-02-2017 13:23, Eduardo Barretto wrote:
>>> > This patch enables specific ioctl calls for ICA crypto card on s390
>>> > platform. Without this patch, users using the IBMCA engine are not
>>> able
>>> > to
2012 Apr 12
8
Background jobs with #fork
Hi
I''ve migrated from Passenger to Unicorn about a week ago. It''s great.
Great transparency and management, thanks for this great software!
A few of my Rails applications start background jobs using
Kernel#fork. Of course, the ActiveRecord connections are closed and
reopened again in the parent and child processes. The child process
also does its job.
Unfortunately, it seems
2015 Mar 05
31
[Bug 2361] New: seccomp filter (not only) for aarch64
https://bugzilla.mindrot.org/show_bug.cgi?id=2361
Bug ID: 2361
Summary: seccomp filter (not only) for aarch64
Product: Portable OpenSSH
Version: 6.7p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: sshd
Assignee: unassigned-bugs at