openssh/openssh-7.7p1-seccomp_ipc_flock.patch

# HG changeset patch
# Parent  9d38b7292619a6d5faf554b1a88888fdfa535de7
Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:

From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
To: openssh-unix-dev@mindrot.org
Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture
Date: Tue,  9 May 2017 14:27:13 -0300

In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
implementation) which calls the libraries that will communicate with the
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
this is only need on s390 architecture.

Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>

diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
--- openssh-7.7p1/sandbox-seccomp-filter.c
+++ openssh-7.7p1/sandbox-seccomp-filter.c
@@ -167,16 +167,19 @@ static const struct sock_filter preauth_
 	SC_ALLOW(__NR_exit_group),
 #endif
 #ifdef __NR_geteuid
 	SC_ALLOW(__NR_geteuid),
 #endif
 #ifdef __NR_geteuid32
 	SC_ALLOW(__NR_geteuid32),
 #endif
+#if defined(__NR_flock) && defined(__s390__)
+	SC_ALLOW(__NR_flock),
+#endif
 #ifdef __NR_getpgid
 	SC_ALLOW(__NR_getpgid),
 #endif
 #ifdef __NR_getpid
 	SC_ALLOW(__NR_getpid),
 #endif
 #ifdef __NR_getrandom
 	SC_ALLOW(__NR_getrandom),
@@ -185,16 +188,19 @@ static const struct sock_filter preauth_
 	SC_ALLOW(__NR_gettimeofday),
 #endif
 #ifdef __NR_getuid
 	SC_ALLOW(__NR_getuid),
 #endif
 #ifdef __NR_getuid32
 	SC_ALLOW(__NR_getuid32),
 #endif
+#if defined(__NR_ipc) && defined(__s390__)
+	SC_ALLOW(__NR_ipc),
+#endif
 #ifdef __NR_madvise
 	SC_ALLOW(__NR_madvise),
 #endif
 #ifdef __NR_mmap
 	SC_ALLOW(__NR_mmap),
 #endif
 #ifdef __NR_mmap2
 	SC_ALLOW(__NR_mmap2),
Accepting request 642573 from home:scarabeus_iv:branches:network - Update to 7.8p1: * no actual changes for the askpass - Format with spec-cleaner - Respect cflags - Use gtk3 rather than gtk2 which is being phased out - Remove the mention of the SLE12 in the README.SUSE - Install firewall rules only when really needed (<SLE15) - Version update to 7.8p1: * For most details see release notes file * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format - Rebase patches to apply on 7.8p1 release: * openssh-7.7p1-fips.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-gssapi_key_exchange.patch * openssh-7.7p1-audit.patch * openssh-7.7p1-openssl_1.1.0.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-7.7p1-disable_short_DH_parameters.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-pam_check_locks.patch * openssh-7.7p1-seed-prng.patch * openssh-7.7p1-systemd-notify.patch * openssh-7.7p1-X11_trusted_forwarding.patch - Dropped patches: OBS-URL: https://build.opensuse.org/request/show/642573 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=153 2018-10-17 10:57:56 +02:00			`# HG changeset patch`
			`# Parent 9d38b7292619a6d5faf554b1a88888fdfa535de7`
			`Patch from IBM enabling the use of OpenCryptoki, submitted upstreams:`

			`From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>`
			`To: openssh-unix-dev@mindrot.org`
			`Subject: [PATCH 1/3] Allow flock and ipc syscall for s390 architecture`
			`Date: Tue, 9 May 2017 14:27:13 -0300`

			`In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock`
			`and ipc calls, because this engine calls OpenCryptoki (a PKCS#11`
			`implementation) which calls the libraries that will communicate with the`
			`crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,`
			`this is only need on s390 architecture.`

			`Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>`

			`diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c`
			`--- openssh-7.7p1/sandbox-seccomp-filter.c`
			`+++ openssh-7.7p1/sandbox-seccomp-filter.c`
			`@@ -167,16 +167,19 @@ static const struct sock_filter preauth_`
			`SC_ALLOW(__NR_exit_group),`
			`#endif`
			`#ifdef __NR_geteuid`
			`SC_ALLOW(__NR_geteuid),`
			`#endif`
			`#ifdef __NR_geteuid32`
			`SC_ALLOW(__NR_geteuid32),`
			`#endif`
			`+#if defined(__NR_flock) && defined(__s390__)`
			`+ SC_ALLOW(__NR_flock),`
			`+#endif`
			`#ifdef __NR_getpgid`
			`SC_ALLOW(__NR_getpgid),`
			`#endif`
			`#ifdef __NR_getpid`
			`SC_ALLOW(__NR_getpid),`
			`#endif`
			`#ifdef __NR_getrandom`
			`SC_ALLOW(__NR_getrandom),`
			`@@ -185,16 +188,19 @@ static const struct sock_filter preauth_`
			`SC_ALLOW(__NR_gettimeofday),`
			`#endif`
			`#ifdef __NR_getuid`
			`SC_ALLOW(__NR_getuid),`
			`#endif`
			`#ifdef __NR_getuid32`
			`SC_ALLOW(__NR_getuid32),`
			`#endif`
			`+#if defined(__NR_ipc) && defined(__s390__)`
			`+ SC_ALLOW(__NR_ipc),`
			`+#endif`
			`#ifdef __NR_madvise`
			`SC_ALLOW(__NR_madvise),`
			`#endif`
			`#ifdef __NR_mmap`
			`SC_ALLOW(__NR_mmap),`
			`#endif`
			`#ifdef __NR_mmap2`
			`SC_ALLOW(__NR_mmap2),`