forked from pool/openssh
7bccbbd821
- Update to 7.8p1: * no actual changes for the askpass - Format with spec-cleaner - Respect cflags - Use gtk3 rather than gtk2 which is being phased out - Remove the mention of the SLE12 in the README.SUSE - Install firewall rules only when really needed (<SLE15) - Version update to 7.8p1: * For most details see release notes file * ssh-keygen(1): write OpenSSH format private keys by default instead of using OpenSSL's PEM format - Rebase patches to apply on 7.8p1 release: * openssh-7.7p1-fips.patch * openssh-7.7p1-cavstest-kdf.patch * openssh-7.7p1-fips_checks.patch * openssh-7.7p1-gssapi_key_exchange.patch * openssh-7.7p1-audit.patch * openssh-7.7p1-openssl_1.1.0.patch * openssh-7.7p1-ldap.patch * openssh-7.7p1-IPv6_X_forwarding.patch * openssh-7.7p1-sftp_print_diagnostic_messages.patch * openssh-7.7p1-disable_short_DH_parameters.patch * openssh-7.7p1-hostname_changes_when_forwarding_X.patch * openssh-7.7p1-pam_check_locks.patch * openssh-7.7p1-seed-prng.patch * openssh-7.7p1-systemd-notify.patch * openssh-7.7p1-X11_trusted_forwarding.patch - Dropped patches: OBS-URL: https://build.opensuse.org/request/show/642573 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=153
37 lines
1.5 KiB
Diff
37 lines
1.5 KiB
Diff
# HG changeset patch
|
|
# Parent a7b18fdd68dba10349e59a9085fd822343311f45
|
|
Patch from IBM enabling use of EP11 hw crypto accelerator, submitted upstreams:
|
|
|
|
From: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
To: openssh-unix-dev@mindrot.org
|
|
Subject: [PATCH 3/3] Enable specific ioctl call for EP11 crypto card (s390)
|
|
Date: Tue, 9 May 2017 14:27:15 -0300
|
|
|
|
The EP11 crypto card needs to make an ioctl call, which receives an
|
|
specific argument. This crypto card is for s390 only.
|
|
|
|
Signed-off-by: Eduardo Barretto <ebarretto@linux.vnet.ibm.com>
|
|
|
|
diff --git a/openssh-7.7p1/sandbox-seccomp-filter.c b/openssh-7.7p1/sandbox-seccomp-filter.c
|
|
--- openssh-7.7p1/sandbox-seccomp-filter.c
|
|
+++ openssh-7.7p1/sandbox-seccomp-filter.c
|
|
@@ -248,16 +248,18 @@ static const struct sock_filter preauth_
|
|
SC_ALLOW_ARG(__NR_socketcall, 0, SYS_SHUTDOWN),
|
|
SC_DENY(__NR_socketcall, EACCES),
|
|
#endif
|
|
#if defined(__NR_ioctl) && defined(__s390__)
|
|
/* Allow ioctls for ICA crypto card on s390 */
|
|
SC_ALLOW_ARG(__NR_ioctl, 1, Z90STAT_STATUS_MASK),
|
|
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSAMODEXPO),
|
|
SC_ALLOW_ARG(__NR_ioctl, 1, ICARSACRT),
|
|
+ /* Allow ioctls for EP11 crypto card on s390 */
|
|
+ SC_ALLOW_ARG(__NR_ioctl, 1, ZSENDEP11CPRB),
|
|
#endif
|
|
#if defined(__x86_64__) && defined(__ILP32__) && defined(__X32_SYSCALL_BIT)
|
|
/*
|
|
* On Linux x32, the clock_gettime VDSO falls back to the
|
|
* x86-64 syscall under some circumstances, e.g.
|
|
* https://bugs.debian.org/849923
|
|
*/
|
|
SC_ALLOW(__NR_clock_gettime & ~__X32_SYSCALL_BIT),
|