On 13-02-2017 13:23, Eduardo Barretto wrote: > This patch enables specific ioctl calls for ICA crypto card on s390 > platform. Without this patch, users using the IBMCA engine are not able > to perform ssh login as the filter blocks the communication with the > crypto card. > > Signed-off-by: Harald Freudenberger <freude@xxxxxxxxxxxxxxxxxx> > Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx> > --- > sandbox-seccomp-filter.c | 24 +++++++++++++++++++++--- > 1 file changed, 21 insertions(+), 3 deletions(-) > > diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c > index 2e1ed2c..264e146 100644 > --- a/sandbox-seccomp-filter.c > +++ b/sandbox-seccomp-filter.c > @@ -59,6 +59,11 @@ > #include <stdlib.h> > #include <string.h> > #include <unistd.h> > +#include <endian.h> > + > +#ifdef __s390__ > +#include <asm/zcrypt.h> > +#endif > > #include "log.h" > #include "ssh-sandbox.h" > @@ -74,6 +79,13 @@ > #endif /* SANDBOX_SECCOMP_FILTER_DEBUG */ > > /* Simple helpers to avoid manual errors (but larger BPF programs). */ > +#if __BYTE_ORDER == __LITTLE_ENDIAN > +#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) > +#elif __BYTE_ORDER == __BIG_ENDIAN > +#define LO_ARG(idx) offsetof(struct seccomp_data, args[(idx)]) + sizeof(_u32) > +#else > +#error "Unknown endianness" > +#endif > #define SC_DENY(_nr, _errno) \ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 1), \ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ERRNO|(_errno)) > @@ -82,9 +94,8 @@ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) > #define SC_ALLOW_ARG(_nr, _arg_nr, _arg_val) \ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_ ## _nr, 0, 4), \ > - /* load first syscall argument */ \ > - BPF_STMT(BPF_LD+BPF_W+BPF_ABS, \ > - offsetof(struct seccomp_data, args[(_arg_nr)])), \ > + /* load the syscall argument to check into accumulator */ \ > + BPF_STMT(BPF_LD+BPF_W+BPF_ABS, LO_ARG(_arg_nr)), \ > BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, (_arg_val), 0, 1), \ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW), \ > /* reload syscall number; all rules expect it in accumulator */ \ > @@ -207,6 +218,13 @@ static const struct sock_filter preauth_insns[] = { > #ifdef __NR_socketcall > SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), > #endif > +#ifdef __NR_ioctl > +#ifdef __s390__ > + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK), > + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO), > + SC_ALLOW_ARG(ioctl, 1, ICARSACRT), > +#endif > +#endif > > /* Default deny */ > BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), > Hi there, Do you have any feedback on this patch? Thanks, Eduardo _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev