| blob | d903eb97fcf3242319c9b6f724ead58f7020752e |
1 .. SPDX-License-Identifier: GPL-2.0
3 ====
4 SCTP
5 ====
7 SCTP LSM Support
8 ================
10 Security Hooks
11 --------------
13 For security module support, three SCTP specific hooks have been implemented::
15 security_sctp_assoc_request()
16 security_sctp_bind_connect()
17 security_sctp_sk_clone()
19 Also the following security hook has been utilised::
21 security_inet_conn_established()
23 The usage of these hooks are described below with the SELinux implementation
24 described in the `SCTP SELinux Support`_ chapter.
27 security_sctp_assoc_request()
28 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
29 Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
30 security module. Returns 0 on success, error on failure.
31 ::
33 @ep - pointer to sctp endpoint structure.
34 @skb - pointer to skbuff of association packet.
37 security_sctp_bind_connect()
38 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
39 Passes one or more ipv4/ipv6 addresses to the security module for validation
40 based on the ``@optname`` that will result in either a bind or connect
41 service as shown in the permission check tables below.
42 Returns 0 on success, error on failure.
43 ::
45 @sk - Pointer to sock structure.
46 @optname - Name of the option to validate.
47 @address - One or more ipv4 / ipv6 addresses.
48 @addrlen - The total length of address(s). This is calculated on each
49 ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
50 sizeof(struct sockaddr_in6).
52 ------------------------------------------------------------------
53 | BIND Type Checks |
54 | @optname | @address contains |
55 |----------------------------|-----------------------------------|
56 | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
57 | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
58 | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
59 ------------------------------------------------------------------
61 ------------------------------------------------------------------
62 | CONNECT Type Checks |
63 | @optname | @address contains |
64 |----------------------------|-----------------------------------|
65 | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
66 | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
67 | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
68 | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
69 ------------------------------------------------------------------
71 A summary of the ``@optname`` entries is as follows::
73 SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
74 associated after (optionally) calling
75 bind(3).
76 sctp_bindx(3) adds a set of bind
77 addresses on a socket.
79 SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
80 addresses for reaching a peer
81 (multi-homed).
82 sctp_connectx(3) initiates a connection
83 on an SCTP socket using multiple
84 destination addresses.
86 SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a
87 sendmsg(2) or sctp_sendmsg(3) on a new asociation.
89 SCTP_PRIMARY_ADDR - Set local primary address.
91 SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
92 association primary.
94 SCTP_PARAM_ADD_IP - These are used when Dynamic Address
95 SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
98 To support Dynamic Address Reconfiguration the following parameters must be
99 enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
101 /proc/sys/net/sctp/addip_enable
102 /proc/sys/net/sctp/addip_noauth_enable
104 then the following *_PARAM_*'s are sent to the peer in an
105 ASCONF chunk when the corresponding ``@optname``'s are present::
107 @optname ASCONF Parameter
108 ---------- ------------------
109 SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP
110 SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
113 security_sctp_sk_clone()
114 ~~~~~~~~~~~~~~~~~~~~~~~~
115 Called whenever a new socket is created by **accept**\(2)
116 (i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
117 calls **sctp_peeloff**\(3).
118 ::
120 @ep - pointer to current sctp endpoint structure.
121 @sk - pointer to current sock structure.
122 @sk - pointer to new sock structure.
125 security_inet_conn_established()
126 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
127 Called when a COOKIE ACK is received::
129 @sk - pointer to sock structure.
130 @skb - pointer to skbuff of the COOKIE ACK packet.
133 Security Hooks used for Association Establishment
134 -------------------------------------------------
136 The following diagram shows the use of ``security_sctp_bind_connect()``,
137 ``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
138 establishing an association.
139 ::
141 SCTP endpoint "A" SCTP endpoint "Z"
142 ================= =================
143 sctp_sf_do_prm_asoc()
144 Association setup can be initiated
145 by a connect(2), sctp_connectx(3),
146 sendmsg(2) or sctp_sendmsg(3).
147 These will result in a call to
148 security_sctp_bind_connect() to
149 initiate an association to
150 SCTP peer endpoint "Z".
151 INIT --------------------------------------------->
152 sctp_sf_do_5_1B_init()
153 Respond to an INIT chunk.
154 SCTP peer endpoint "A" is
155 asking for an association. Call
156 security_sctp_assoc_request()
157 to set the peer label if first
158 association.
159 If not first association, check
160 whether allowed, IF so send:
161 <----------------------------------------------- INIT ACK
162 | ELSE audit event and silently
163 | discard the packet.
164 |
165 COOKIE ECHO ------------------------------------------>
166 |
167 |
168 |
169 <------------------------------------------- COOKIE ACK
170 | |
171 sctp_sf_do_5_1E_ca |
172 Call security_inet_conn_established() |
173 to set the peer label. |
174 | |
175 | If SCTP_SOCKET_TCP or peeled off
176 | socket security_sctp_sk_clone() is
177 | called to clone the new socket.
178 | |
179 ESTABLISHED ESTABLISHED
180 | |
181 ------------------------------------------------------------------
182 | Association Established |
183 ------------------------------------------------------------------
186 SCTP SELinux Support
187 ====================
189 Security Hooks
190 --------------
192 The `SCTP LSM Support`_ chapter above describes the following SCTP security
193 hooks with the SELinux specifics expanded below::
195 security_sctp_assoc_request()
196 security_sctp_bind_connect()
197 security_sctp_sk_clone()
198 security_inet_conn_established()
201 security_sctp_assoc_request()
202 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
203 Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
204 security module. Returns 0 on success, error on failure.
205 ::
207 @ep - pointer to sctp endpoint structure.
208 @skb - pointer to skbuff of association packet.
210 The security module performs the following operations:
211 IF this is the first association on ``@ep->base.sk``, then set the peer
212 sid to that in ``@skb``. This will ensure there is only one peer sid
213 assigned to ``@ep->base.sk`` that may support multiple associations.
215 ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
216 to determine whether the association should be allowed or denied.
218 Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
219 MLS portion taken from ``@skb peer sid``. This will be used by SCTP
220 TCP style sockets and peeled off connections as they cause a new socket
221 to be generated.
223 If IP security options are configured (CIPSO/CALIPSO), then the ip
224 options are set on the socket.
227 security_sctp_bind_connect()
228 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
229 Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
230 as follows::
232 ------------------------------------------------------------------
233 | BIND Permission Checks |
234 | @optname | @address contains |
235 |----------------------------|-----------------------------------|
236 | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
237 | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
238 | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
239 ------------------------------------------------------------------
241 ------------------------------------------------------------------
242 | CONNECT Permission Checks |
243 | @optname | @address contains |
244 |----------------------------|-----------------------------------|
245 | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
246 | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
247 | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
248 | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
249 ------------------------------------------------------------------
252 `SCTP LSM Support`_ gives a summary of the ``@optname``
253 entries and also describes ASCONF chunk processing when Dynamic Address
254 Reconfiguration is enabled.
257 security_sctp_sk_clone()
258 ~~~~~~~~~~~~~~~~~~~~~~~~
259 Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
260 socket) or when a socket is 'peeled off' e.g userspace calls
261 **sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
262 sockets sid and peer sid to that contained in the ``@ep sid`` and
263 ``@ep peer sid`` respectively.
264 ::
266 @ep - pointer to current sctp endpoint structure.
267 @sk - pointer to current sock structure.
268 @sk - pointer to new sock structure.
271 security_inet_conn_established()
272 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
273 Called when a COOKIE ACK is received where it sets the connection's peer sid
274 to that in ``@skb``::
276 @sk - pointer to sock structure.
277 @skb - pointer to skbuff of the COOKIE ACK packet.
280 Policy Statements
281 -----------------
282 The following class and permissions to support SCTP are available within the
283 kernel::
285 class sctp_socket inherits socket { node_bind }
287 whenever the following policy capability is enabled::
289 policycap extended_socket_class;
291 SELinux SCTP support adds the ``name_connect`` permission for connecting
292 to a specific port type and the ``association`` permission that is explained
293 in the section below.
295 If userspace tools have been updated, SCTP will support the ``portcon``
296 statement as shown in the following example::
298 portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
301 SCTP Peer Labeling
302 ------------------
303 An SCTP socket will only have one peer label assigned to it. This will be
304 assigned during the establishment of the first association. Any further
305 associations on this socket will have their packet peer label compared to
306 the sockets peer label, and only if they are different will the
307 ``association`` permission be validated. This is validated by checking the
308 socket peer sid against the received packets peer sid to determine whether
309 the association should be allowed or denied.
311 NOTES:
312 1) If peer labeling is not enabled, then the peer context will always be
313 ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
315 2) As SCTP can support more than one transport address per endpoint
316 (multi-homing) on a single socket, it is possible to configure policy
317 and NetLabel to provide different peer labels for each of these. As the
318 socket peer label is determined by the first associations transport
319 address, it is recommended that all peer labels are consistent.
321 3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
322 context.
324 4) While not SCTP specific, be aware when using NetLabel that if a label
325 is assigned to a specific interface, and that interface 'goes down',
326 then the NetLabel service will remove the entry. Therefore ensure that
327 the network startup scripts call **netlabelctl**\(8) to set the required
328 label (see **netlabel-config**\(8) helper script for details).
330 5) The NetLabel SCTP peer labeling rules apply as discussed in the following
331 set of posts tagged "netlabel" at: http://www.paul-moore.com/blog/t.
333 6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
334 CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``
336 Note the following when testing CIPSO/CALIPSO:
337 a) CIPSO will send an ICMP packet if an SCTP packet cannot be
338 delivered because of an invalid label.
339 b) CALIPSO does not send an ICMP packet, just silently discards it.
341 7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
342 implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
343 although the kernel supports SCTP/IPSEC.