similar to: [PATCH 0/3] Allow syscalls for openssl engines

This patch enables specific ioctl calls for ICA crypto card on s390 platform. Without this patch, users using the IBMCA engine are not able to perform ssh login as the filter blocks the communication with the crypto card. Signed-off-by: Harald Freudenberger <freude at linux.vnet.ibm.com> Signed-off-by: Eduardo Barretto <ebarretto at linux.vnet.ibm.com> --- sandbox-seccomp-filter.c |

On 03-03-2017 09:54, Petr Cerny wrote: > Damien Miller wrote: >> On Tue, 28 Feb 2017, Eduardo Barretto wrote: >> >>> On 13-02-2017 13:23, Eduardo Barretto wrote: >>> > This patch enables specific ioctl calls for ICA crypto card on s390 >>> > platform. Without this patch, users using the IBMCA engine are not >>> able >>> > to

I've committed this diff. Please test and confirm that it works ok. (If not, then I've botched the macro fixes in the previous commit) Thanks, Damien Miller On Tue, 14 Mar 2017, Damien Miller wrote: > ok, with the fixes for the seccomp-bpf sandbox that I just committed > the diff reduces to. > > IMO this is scoped narrowly enough to go in. > > -d > > diff

*SSL libraries or the C library may/will require it. --- sandbox-seccomp-filter.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index b6f6258..846bc08 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -129,6 +129,9 @@ static const struct sock_filter preauth_insns[] = { #else SC_ALLOW(sigprocmask), #endif

https://bugzilla.mindrot.org/show_bug.cgi?id=2361 Bug ID: 2361 Summary: seccomp filter (not only) for aarch64 Product: Portable OpenSSH Version: 6.7p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

On Tue, 28 Feb 2017, Eduardo Barretto wrote: > On 13-02-2017 13:23, Eduardo Barretto wrote: > > This patch enables specific ioctl calls for ICA crypto card on s390 > > platform. Without this patch, users using the IBMCA engine are not able > > to perform ssh login as the filter blocks the communication with the > > crypto card. > > > > Signed-off-by: Harald

Hello I have a server with an hardware crypto accelator. For giving userspace access to it I use the cryptodev module (http://cryptodev-linux.org/) I have also the cryptodev engine compiled in openssl. When I modprobe the cryptodev module, I cannot login with ssh on the server. The symptom can be found with dmesg: audit: type=1326 audit(1424784807.257:3): auid=4294967295 uid=22 gid=22

https://bugzilla.mindrot.org/show_bug.cgi?id=2142 Bug ID: 2142 Summary: openssh sandboxing using libseccomp Product: Portable OpenSSH Version: -current Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd Assignee: unassigned-bugs at

https://bugzilla.mindrot.org/show_bug.cgi?id=3639 Bug ID: 3639 Summary: server thread aborts during client login after receiving SSH2_MSG_KEXINIT Product: Portable OpenSSH Version: 9.2p1 Hardware: ARM OS: Linux Status: NEW Severity: critical Priority: P5 Component:

https://bugzilla.mindrot.org/show_bug.cgi?id=3085 Bug ID: 3085 Summary: seccomp issue after upgrading openssl Product: Portable OpenSSH Version: 8.1p1 Hardware: Other OS: Linux Status: NEW Severity: critical Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org

Hello! The following code triggered by syzbot r = get_user_pages_fast(log, 1, 1, &page); if (r < 0) return r; BUG_ON(r != 1); Just looking at get_user_pages_fast's documentation this seems impossible - it is supposed to only ever return # of pages pinned or errno. However, poking at code, I see at least one path that might cause this: