f2c3d6e19a
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-4.3p2-askpass-grab-info.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.1p1-askpass-progress.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.8p2-sigpipe.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-5.9p1-ipv6man.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.3p1-ctr-evp-fast.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.4p1-fromto-remote.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-log-in-chroot.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-scp-non-existing-directory.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6.1p1-selinux-contexts.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-allow-ip-opts.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-force_krb.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-GSSAPIEnablek5users.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keycat.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-keyperm.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-kuserok.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.6p1-privsep-selinux.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-coverity.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.7p1-sftp-force-permission.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-6.8p1-sshdT-output.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.1p2-audit-race-condition.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-k5login_directory.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-s390-closefrom.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.2p2-x11.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.3p1-x11-max-displays.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.4p1-systemd.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.5p1-sandbox.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.6p1-audit.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.6p1-cleanup-selinux.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-fips.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1-gssapi-new-unique.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.7p1.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-role-mls.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-scp-ipv6.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-7.8p1-UsePAM-warning.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-crypto-policies.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-gssapi-keyex.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-keygen-strip-doseol.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-openssl-evp.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-openssl-kdf.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-preserve-pam-errors.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.2p1-visibility.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.2p1-x11-without-ipv6.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.7p1-scp-kill-switch.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.2-compat.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.2-dereference.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.10.3-seteuid.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.2-visibility.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.3-agent_structure.patch https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/pam_ssh_agent_auth-0.9.3-build.patch
92 lines
3.0 KiB
Diff
92 lines
3.0 KiB
Diff
In order to use the OpenSSL-ibmpkcs11 engine it is needed to allow flock
|
|
and ipc calls, because this engine calls OpenCryptoki (a PKCS#11
|
|
implementation) which calls the libraries that will communicate with the
|
|
crypto cards. OpenCryptoki makes use of flock and ipc and, as of now,
|
|
this is only need on s390 architecture.
|
|
|
|
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
|
---
|
|
sandbox-seccomp-filter.c | 6 ++++++
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
index ca75cc7..6e7de31 100644
|
|
--- a/sandbox-seccomp-filter.c
|
|
+++ b/sandbox-seccomp-filter.c
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
|
|
@@ -166,6 +166,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
#ifdef __NR_exit_group
|
|
SC_ALLOW(__NR_exit_group),
|
|
#endif
|
|
+#if defined(__NR_flock) && defined(__s390__)
|
|
+ SC_ALLOW(__NR_flock),
|
|
+#endif
|
|
#ifdef __NR_futex
|
|
SC_ALLOW(__NR_futex),
|
|
#endif
|
|
@@ -178,6 +181,9 @@ static const struct sock_filter preauth_insns[] = {
|
|
#ifdef __NR_gettimeofday
|
|
SC_ALLOW(__NR_gettimeofday),
|
|
#endif
|
|
+#if defined(__NR_ipc) && defined(__s390__)
|
|
+ SC_ALLOW(__NR_ipc),
|
|
+#endif
|
|
#ifdef __NR_getuid
|
|
SC_ALLOW(__NR_getuid),
|
|
#endif
|
|
--
|
|
1.9.1
|
|
|
|
getuid and geteuid are needed when using an openssl engine that calls a
|
|
crypto card, e.g. ICA (libica).
|
|
Those syscalls are also needed by the distros for audit code.
|
|
|
|
Signed-off-by: Eduardo Barretto <ebarretto@xxxxxxxxxxxxxxxxxx>
|
|
---
|
|
sandbox-seccomp-filter.c | 12 ++++++++++++
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
|
|
1 file changed, 12 insertions(+)
|
|
|
|
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
|
|
index 6e7de31..e86aa2c 100644
|
|
--- a/sandbox-seccomp-filter.c
|
|
+++ b/sandbox-seccomp-filter.c
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
|
|
@@ -175,6 +175,18 @@ static const struct sock_filter preauth_insns[] = {
|
|
#ifdef __NR_getpid
|
|
SC_ALLOW(__NR_getpid),
|
|
#endif
|
|
+#ifdef __NR_getuid
|
|
+ SC_ALLOW(__NR_getuid),
|
|
+#endif
|
|
+#ifdef __NR_getuid32
|
|
+ SC_ALLOW(__NR_getuid32),
|
|
+#endif
|
|
+#ifdef __NR_geteuid
|
|
+ SC_ALLOW(__NR_geteuid),
|
|
+#endif
|
|
+#ifdef __NR_geteuid32
|
|
+ SC_ALLOW(__NR_geteuid32),
|
|
+#endif
|
|
#ifdef __NR_getrandom
|
|
SC_ALLOW(__NR_getrandom),
|
|
#endif
|
|
-- 1.9.1
|
|
1.9.1
|
|
diff -up openssh-7.6p1/sandbox-seccomp-filter.c.sandbox openssh-7.6p1/sandbox-seccomp-filter.c
|
|
--- openssh-7.6p1/sandbox-seccomp-filter.c.sandbox 2017-12-12 13:59:30.563874059 +0100
|
|
+++ openssh-7.6p1/sandbox-seccomp-filter.c 2017-12-12 13:59:14.842784083 +0100
|
|
Reference:https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/backport-openssh-7.5p1-sandbox.patch
|
|
@@ -190,6 +190,9 @@ static const struct sock_filter preauth_
|
|
#ifdef __NR_geteuid32
|
|
SC_ALLOW(__NR_geteuid32),
|
|
#endif
|
|
+#ifdef __NR_gettid
|
|
+ SC_ALLOW(__NR_gettid),
|
|
+#endif
|
|
#ifdef __NR_getrandom
|
|
SC_ALLOW(__NR_getrandom),
|
|
#endif
|
|
|