LSM-sctp.rst 7.53 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175
SCTP LSM Support
================

For security module support, three SCTP specific hooks have been implemented::

    security_sctp_assoc_request()
    security_sctp_bind_connect()
    security_sctp_sk_clone()

Also the following security hook has been utilised::

    security_inet_conn_established()

The usage of these hooks are described below with the SELinux implementation
described in ``Documentation/security/SELinux-sctp.rst``


security_sctp_assoc_request()
-----------------------------
Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
security module. Returns 0 on success, error on failure.
::

    @ep - pointer to sctp endpoint structure.
    @skb - pointer to skbuff of association packet.


security_sctp_bind_connect()
-----------------------------
Passes one or more ipv4/ipv6 addresses to the security module for validation
based on the ``@optname`` that will result in either a bind or connect
service as shown in the permission check tables below.
Returns 0 on success, error on failure.
::

    @sk      - Pointer to sock structure.
    @optname - Name of the option to validate.
    @address - One or more ipv4 / ipv6 addresses.
    @addrlen - The total length of address(s). This is calculated on each
               ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
               sizeof(struct sockaddr_in6).

  ------------------------------------------------------------------
  |                     BIND Type Checks                           |
  |       @optname             |         @address contains         |
  |----------------------------|-----------------------------------|
  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
  ------------------------------------------------------------------

  ------------------------------------------------------------------
  |                   CONNECT Type Checks                          |
  |       @optname             |         @address contains         |
  |----------------------------|-----------------------------------|
  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
  ------------------------------------------------------------------

A summary of the ``@optname`` entries is as follows::

    SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
                             associated after (optionally) calling
                             bind(3).
                             sctp_bindx(3) adds a set of bind
                             addresses on a socket.

    SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
                            addresses for reaching a peer
                            (multi-homed).
                            sctp_connectx(3) initiates a connection
                            on an SCTP socket using multiple
                            destination addresses.

    SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
                            sendmsg(2) or sctp_sendmsg(3) on a new asociation.

    SCTP_PRIMARY_ADDR     - Set local primary address.

    SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
                                 association primary.

    SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
    SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.


To support Dynamic Address Reconfiguration the following parameters must be
enabled on both endpoints (or use the appropriate **setsockopt**\(2))::

    /proc/sys/net/sctp/addip_enable
    /proc/sys/net/sctp/addip_noauth_enable

then the following *_PARAM_*'s are sent to the peer in an
ASCONF chunk when the corresponding ``@optname``'s are present::

          @optname                      ASCONF Parameter
         ----------                    ------------------
    SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
    SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY


security_sctp_sk_clone()
-------------------------
Called whenever a new socket is created by **accept**\(2)
(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
calls **sctp_peeloff**\(3).
::

    @ep - pointer to current sctp endpoint structure.
    @sk - pointer to current sock structure.
    @sk - pointer to new sock structure.


security_inet_conn_established()
---------------------------------
Called when a COOKIE ACK is received::

    @sk  - pointer to sock structure.
    @skb - pointer to skbuff of the COOKIE ACK packet.


Security Hooks used for Association Establishment
=================================================
The following diagram shows the use of ``security_sctp_bind_connect()``,
``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
establishing an association.
::

      SCTP endpoint "A"                                SCTP endpoint "Z"
      =================                                =================
    sctp_sf_do_prm_asoc()
 Association setup can be initiated
 by a connect(2), sctp_connectx(3),
 sendmsg(2) or sctp_sendmsg(3).
 These will result in a call to
 security_sctp_bind_connect() to
 initiate an association to
 SCTP peer endpoint "Z".
         INIT --------------------------------------------->
                                                   sctp_sf_do_5_1B_init()
                                                 Respond to an INIT chunk.
                                             SCTP peer endpoint "A" is
                                             asking for an association. Call
                                             security_sctp_assoc_request()
                                             to set the peer label if first
                                             association.
                                             If not first association, check
                                             whether allowed, IF so send:
          <----------------------------------------------- INIT ACK
          |                                  ELSE audit event and silently
          |                                       discard the packet.
          |
    COOKIE ECHO ------------------------------------------>
                                                          |
                                                          |
                                                          |
          <------------------------------------------- COOKIE ACK
          |                                               |
    sctp_sf_do_5_1E_ca                                    |
 Call security_inet_conn_established()                    |
 to set the peer label.                                   |
          |                                               |
          |                               If SCTP_SOCKET_TCP or peeled off
          |                               socket security_sctp_sk_clone() is
          |                               called to clone the new socket.
          |                                               |
      ESTABLISHED                                    ESTABLISHED
          |                                               |
    ------------------------------------------------------------------
    |                     Association Established                    |
    ------------------------------------------------------------------