diff options
| author | CoprDistGit <infra@openeuler.org> | 2024-07-03 02:42:38 +0000 |
|---|---|---|
| committer | CoprDistGit <infra@openeuler.org> | 2024-07-03 02:42:38 +0000 |
| commit | 3c362eae690284f325824e38431881825e32ffdd (patch) | |
| tree | d2d0e11b92bf88d35c270559d268845d391a4703 /backport-openssh-7.5p1-sandbox.patch | |
| parent | 62f0a34c39a6846b6a86f2bbc7fb8c319bd46d94 (diff) | |
automatic import of openssh
Diffstat (limited to 'backport-openssh-7.5p1-sandbox.patch')
| -rw-r--r-- | backport-openssh-7.5p1-sandbox.patch | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/backport-openssh-7.5p1-sandbox.patch b/backport-openssh-7.5p1-sandbox.patch new file mode 100644 index 0000000..e0c4109 --- /dev/null +++ b/backport-openssh-7.5p1-sandbox.patch @@ -0,0 +1,91 @@ +In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock +and ipc calls, because this engine calls OpenCryptoki (a PKCS#11 +implementation) which calls the libraries that will communicate with the +crypto cards. OpenCryptoki makes use of flock and ipc and, as of now, +this is only need on s390 architecture. + +Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx> +--- + sandbox-seccomp-filter.c | 6 ++++++ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch + 1 file changed, 6 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index ca75cc7..6e7de31 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch +@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_exit_group + SC_ALLOW(__NR_exit_group), + #endif ++#if defined(__NR_flock) && defined(__s390__) ++ SC_ALLOW(__NR_flock), ++#endif + #ifdef __NR_futex + SC_ALLOW(__NR_futex), + #endif +@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_gettimeofday + SC_ALLOW(__NR_gettimeofday), + #endif ++#if defined(__NR_ipc) && defined(__s390__) ++ SC_ALLOW(__NR_ipc), ++#endif + #ifdef __NR_getuid + SC_ALLOW(__NR_getuid), + #endif +-- +1.9.1 + +getuid and geteuid are needed when using an openssl engine that calls a +crypto card, e.g. ICA (libica). +Those syscalls are also needed by the distros for audit code. + +Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx> +--- + sandbox-seccomp-filter.c | 12 ++++++++++++ +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch + 1 file changed, 12 insertions(+) + +diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c +index 6e7de31..e86aa2c 100644 +--- a/sandbox-seccomp-filter.c ++++ b/sandbox-seccomp-filter.c +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch +@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = { + #ifdef __NR_getpid + SC_ALLOW(__NR_getpid), + #endif ++#ifdef __NR_getuid ++ SC_ALLOW(__NR_getuid), ++#endif ++#ifdef __NR_getuid32 ++ SC_ALLOW(__NR_getuid32), ++#endif ++#ifdef __NR_geteuid ++ SC_ALLOW(__NR_geteuid), ++#endif ++#ifdef __NR_geteuid32 ++ SC_ALLOW(__NR_geteuid32), ++#endif + #ifdef __NR_getrandom + SC_ALLOW(__NR_getrandom), + #endif +-- 1.9.1 +1.9.1 +diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c +--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100 ++++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100 +Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch +@@ -190,6 +190,9 @@ static const struct sock_filter preauth_ + #ifdef __NR_geteuid32 + SC_ALLOW(__NR_geteuid32), + #endif ++#ifdef __NR_gettid ++ SC_ALLOW(__NR_gettid), ++#endif + #ifdef __NR_getrandom + SC_ALLOW(__NR_getrandom), + #endif + |