Comment 8 for bug 1686618

------- Comment on attachment From <email address hidden> 2017-05-09 05:35 EDT-------

Here is a patch which enables the geteuid syscall in sshd sandbox on s390.

Background: during initialization of the libica shared lib a system call to find the real user id is invoced. So when the by openssh required library chain comes into live (openssl - ibmca engine - libica) and it looks like the ibmca engine initialzation and so the libica initialization is now triggered somewhere later during running in the seccomp environment, this call was filtered out with signal 31 caused the authentification process to fail.

Fixed by allowing the geteuid syscall within openssh's seccomp sandbox only for the s390 platform.

Please note, this fix is on top of 3 other patches required:

0001-Fix-weakness-in-seccomp-bpf-sandbox-arg-inspection.patch
0002-support-ioctls-for-ICA-crypto-card-on-Linux-s390.patch
0003-Missing-header-on-Linux-s390.patch

Please note also that the upstream patch will be different to this one as there has been some rework on the seccomp macros. I'll send the upstream patch to Eduardo dos Santos Barretto for contributing to openssh.

regards H.Freudenberger