[PATCH] Enable specific ioctl calls for ICA crypto card (s390)

Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx> · Mon, 13 Feb 2017 13:23:25 -0200

This patch enables specific ioctl calls for ICA crypto card on s390
platform. Without this patch, users using the IBMCA engine are not able
to perform ssh login as the filter blocks the communication with the
crypto card.

Signed-off-by: Harald Freudenberger <freude@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
---
 sandbox-seccomp-filter.c | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2e1ed2c..264e146 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -59,6 +59,11 @@
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
+#include <endian.h>
+
+#ifdef __s390__
+#include <asm/zcrypt.h>
+#endif
 
 #include "log.h"
 #include "ssh-sandbox.h"
@@ -74,6 +79,13 @@
 #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */
 
 /* Simple helpers to avoid manual errors (but larger BPF programs). */
+#if __BYTE_ORDER == __LITTLE_ENDIAN
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)])
+#elif __BYTE_ORDER == __BIG_ENDIAN
+#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(_u32)
+#else
+#error "Unknown endianness"
+#endif
 #define SC_DENY(_nr, _errno) \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno))
@@ -82,9 +94,8 @@
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
 #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \
-	/* load first syscall argument */ \
-	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \
-	    offsetof(struct seccomp_data, args[(_arg_nr)])), \
+	/* load the syscall argument to check into accumulator */ \
+	BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \
 	BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \
 	/* reload syscall number; all rules expect it in accumulator */ \
@@ -207,6 +218,13 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_socketcall
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
 #endif
+#ifdef __NR_ioctl
+#ifdef __s390__
+	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+#endif
+#endif
 
 	/* Default deny */
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
-- 
1.9.1

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev






