[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Damien Miller changed: What|Removed |Added Status|NEW |RESOLVED Blocks||2988 Resolution|--- |FIXED --- Comment #9 from Damien Miller --- Applied and will be in OpenSSH 8.1 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2988 [Bug 2988] Tracking bug for 8.1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Jakub Jelen changed: What|Removed |Added CC||jje...@redhat.com --- Comment #8 from Jakub Jelen --- Eduardo, are these changes still needed? I am interested mostly in the ZSENDEP11CPRB, which is carried in most of the distros (suse, ubuntu, fedora), but not yet merged because of unanswered question in the last comment. My searches on the interned did not uncover anything interesting, but mostly kernel drivers source code and examples [1]. Damien, would it be possible to merge this as there are already many others ioctls for s390 in, from commits b3a77b25e, e3ea335ab and 5f1596e11 ? [1] https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lkdd/lkdd_r_zcryptctl_cmd.html -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #7 from Damien Miller --- I've committed the getuid patch. wrt the remaining patches: There isn't much point in permitting flock() - the process is in a chroot environment and all fs operations should fail here. Could we SC_DENY it with ENOENT or EACCESS instead? The ipc(2) syscall is much too broad to allow in a sandbox - it includes a number of capabilities that could be used for sandbox escape. Is there a safe subset that could be enabled? Is there any documentation on the ZSENDEP11CPRB ioctl? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #6 from ebarre...@linux.vnet.ibm.com --- (In reply to Damien Miller from comment #5) > Yeah, I agree. Would it be feasible to skip using the engines in the > pre-auth phase entirely? Hi Damien, We have on S390 two OpenSSL Engines, one more specific (is specific for one crypto card) and one more generic that works with different crypto card/devices. The first is openssl-ibmca and the last one openssl-ibmpkcs11. We already did some changes on the seccomp filter (openssh-7.5) for the ibmca engine, but the getuid and geteuid was missing as it was enabled on some distro's openssh package but not on others. Can we get the getuid and geteuid patch integrated for now? The other engine, ibmpkcs11, which needs the sysv ipc is not yet released and we can work on an alternative based on your feedback. This works for you? Thanks, Eduardo -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #5 from Damien Miller --- Yeah, I agree. Would it be feasible to skip using the engines in the pre-auth phase entirely? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #4 from Darren Tucker --- Comment on attachment 3055 --> https://bugzilla.mindrot.org/attachment.cgi?id=3055 Allow-flock-and-ipc-syscall-for-s390-architecture sysV IPC seems like a big increase in attack surface even when this hardware is not in use? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Darren Tucker changed: What|Removed |Added CC||dtuc...@zip.com.au Attachment #3056||ok+ Flags|| -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #2 from Damien Miller --- Created attachment 3056 --> https://bugzilla.mindrot.org/attachment.cgi?id=3056&action=edit Allow-getuid-and-geteuid-calls -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 --- Comment #3 from Damien Miller --- Created attachment 3057 --> https://bugzilla.mindrot.org/attachment.cgi?id=3057&action=edit Enable-specific-ioctl-call-for-EP11-crypto-card-s390 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 2752] Allow syscalls for openssl engines on s390x
https://bugzilla.mindrot.org/show_bug.cgi?id=2752 Damien Miller changed: What|Removed |Added Attachment #3025|0 |1 is obsolete|| CC||d...@mindrot.org --- Comment #1 from Damien Miller --- Created attachment 3055 --> https://bugzilla.mindrot.org/attachment.cgi?id=3055&action=edit Allow-flock-and-ipc-syscall-for-s390-architecture -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. ___ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs