Re: [PATCH] Enable specific ioctl calls for ICA crypto card (s390)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 3 Mar 2017, Eduardo Barretto wrote:

> Just adding some more information on Petr answer (Thanks Petr for
> stepping in!):
> 
> The ioctls for the s390 crypto card support are documented. The crypto
> device driver is part of the linux kernel and thus open source. It can be
> found in the kernel in drivers/s390/crypto. The ioctl stuff required to
> interact with the crypto device driver is as usual provided in the
> kernel header file arch/s390/include/uapi/asm/zcrypt.h
> In particular the defines for the ioctl magics intended to not
> get filtered can be found there.

ok, with the fixes for the seccomp-bpf sandbox that I just committed
the diff reduces to.

IMO this is scoped narrowly enough to go in.

-d

diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index af5525ab..6ceee33f 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_socketcall
 	SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN),
 #endif
+#if defined(__NR_ioctl) && defined(__s390__)
+	/* Allow ioctls for ICA crypto card on s390 */
+	SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK),
+	SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO),
+	SC_ALLOW_ARG(ioctl, 1, ICARSACRT),
+#endif /* defined(__NR_ioctl) && defined(__s390__) */
 
 	/* Default deny */
 	BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL),
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux