On Fri, 3 Mar 2017, Eduardo Barretto wrote: > Just adding some more information on Petr answer (Thanks Petr for > stepping in!): > > The ioctls for the s390 crypto card support are documented. The crypto > device driver is part of the linux kernel and thus open source. It can be > found in the kernel in drivers/s390/crypto. The ioctl stuff required to > interact with the crypto device driver is as usual provided in the > kernel header file arch/s390/include/uapi/asm/zcrypt.h > In particular the defines for the ioctl magics intended to not > get filtered can be found there. ok, with the fixes for the seccomp-bpf sandbox that I just committed the diff reduces to. IMO this is scoped narrowly enough to go in. -d diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c index af5525ab..6ceee33f 100644 --- a/sandbox-seccomp-filter.c +++ b/sandbox-seccomp-filter.c @@ -223,6 +223,12 @@ static const struct sock_filter preauth_insns[] = { #ifdef __NR_socketcall SC_ALLOW_ARG(socketcall, 0, SYS_SHUTDOWN), #endif +#if defined(__NR_ioctl) && defined(__s390__) + /* Allow ioctls for ICA crypto card on s390 */ + SC_ALLOW_ARG(ioctl, 1, Z90STAT_STATUS_MASK), + SC_ALLOW_ARG(ioctl, 1, ICARSAMODEXPO), + SC_ALLOW_ARG(ioctl, 1, ICARSACRT), +#endif /* defined(__NR_ioctl) && defined(__s390__) */ /* Default deny */ BPF_STMT(BPF_RET+BPF_K, SECCOMP_FILTER_FAIL), _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev