subject:"\[Bug 2752\] Allow syscalls for openssl engines on s390x"

[Bug 2752] Allow syscalls for openssl engines on s390x

2019-10-05 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

Damien Miller  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Blocks||2988
 Resolution|--- |FIXED

--- Comment #9 from Damien Miller  ---
Applied and will be in OpenSSH 8.1


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2988
[Bug 2988] Tracking bug for 8.1 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

2019-10-03 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

Jakub Jelen  changed:

   What|Removed |Added

 CC||jje...@redhat.com

--- Comment #8 from Jakub Jelen  ---
Eduardo, are these changes still needed? I am interested mostly in the
ZSENDEP11CPRB, which is carried in most of the distros (suse, ubuntu,
fedora), but not yet merged because of unanswered question in the last
comment.
My searches on the interned did not uncover anything interesting, but
mostly kernel drivers source code and examples [1].

Damien, would it be possible to merge this as there are already many
others ioctls for s390 in, from commits b3a77b25e, e3ea335ab and
5f1596e11 ?

[1]
https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lkdd/lkdd_r_zcryptctl_cmd.html

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

2018-05-24 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

--- Comment #7 from Damien Miller  ---
I've committed the getuid patch.

wrt the remaining patches:

There isn't much point in permitting flock() - the process is in a
chroot environment and all fs operations should fail here. Could we
SC_DENY it with ENOENT or EACCESS instead?

The ipc(2) syscall is much too broad to allow in a sandbox - it
includes a number of capabilities that could be used for sandbox
escape. Is there a safe subset that could be enabled?

Is there any documentation on the ZSENDEP11CPRB ioctl?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

2017-09-22 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

--- Comment #6 from ebarre...@linux.vnet.ibm.com ---
(In reply to Damien Miller from comment #5)
> Yeah, I agree. Would it be feasible to skip using the engines in the
> pre-auth phase entirely?

Hi Damien,

We have on S390 two OpenSSL Engines, one more specific (is specific for
one crypto card) and one more generic that works with different crypto
card/devices. The first is openssl-ibmca and the last one
openssl-ibmpkcs11.

We already did some changes on the seccomp filter (openssh-7.5) for the
ibmca engine, but the getuid and geteuid was missing as it was enabled
on some distro's openssh package but not on others.
Can we get the getuid and geteuid patch integrated for now? 

The other engine, ibmpkcs11, which needs the sysv ipc is not yet
released and we can work on an alternative based on your feedback. 

This works for you? 

Thanks,
Eduardo

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

2017-09-21 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

--- Comment #5 from Damien Miller  ---
Yeah, I agree. Would it be feasible to skip using the engines in the
pre-auth phase entirely?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

2017-09-21 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

--- Comment #4 from Darren Tucker  ---
Comment on attachment 3055
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3055
Allow-flock-and-ipc-syscall-for-s390-architecture

sysV IPC seems like a big increase in attack surface even when this
hardware is not in use?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

2017-09-21 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

Darren Tucker  changed:

   What|Removed |Added

 CC||dtuc...@zip.com.au
   Attachment #3056||ok+
  Flags||

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

2017-09-21 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

--- Comment #2 from Damien Miller  ---
Created attachment 3056
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3056=edit
Allow-getuid-and-geteuid-calls

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

2017-09-21 Thread bugzilla-daemon

https://bugzilla.mindrot.org/show_bug.cgi?id=2752

Damien Miller  changed:

   What|Removed |Added

   Attachment #3025|0   |1
is obsolete||
 CC||d...@mindrot.org

--- Comment #1 from Damien Miller  ---
Created attachment 3055
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3055=edit
Allow-flock-and-ipc-syscall-for-s390-architecture

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
___
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

[Bug 2752] Allow syscalls for openssl engines on s390x

[Bug 2752] Allow syscalls for openssl engines on s390x

[Bug 2752] Allow syscalls for openssl engines on s390x

[Bug 2752] Allow syscalls for openssl engines on s390x

[Bug 2752] Allow syscalls for openssl engines on s390x

[Bug 2752] Allow syscalls for openssl engines on s390x

[Bug 2752] Allow syscalls for openssl engines on s390x

[Bug 2752] Allow syscalls for openssl engines on s390x

[Bug 2752] Allow syscalls for openssl engines on s390x

9 matches

Site Navigation

Mail list logo

Footer information