[linux-2.6-block.git] / Documentation / security / LSM-sctp.rst

SCTP LSM Support
================

For security module support, three SCTP specific hooks have been implemented::

    security_sctp_assoc_request()
    security_sctp_bind_connect()
    security_sctp_sk_clone()

Also the following security hook has been utilised::

    security_inet_conn_established()

The usage of these hooks are described below with the SELinux implementation
described in ``Documentation/security/SELinux-sctp.rst``


security_sctp_assoc_request()
-----------------------------
Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
security module. Returns 0 on success, error on failure.
::

    @ep - pointer to sctp endpoint structure.
    @skb - pointer to skbuff of association packet.


security_sctp_bind_connect()
-----------------------------
Passes one or more ipv4/ipv6 addresses to the security module for validation
based on the ``@optname`` that will result in either a bind or connect
service as shown in the permission check tables below.
Returns 0 on success, error on failure.
::

    @sk      - Pointer to sock structure.
    @optname - Name of the option to validate.
    @address - One or more ipv4 / ipv6 addresses.
    @addrlen - The total length of address(s). This is calculated on each
               ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
               sizeof(struct sockaddr_in6).

  ------------------------------------------------------------------
  |                     BIND Type Checks                           |
  |       @optname             |         @address contains         |
  |----------------------------|-----------------------------------|
  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
  ------------------------------------------------------------------

  ------------------------------------------------------------------
  |                   CONNECT Type Checks                          |
  |       @optname             |         @address contains         |
  |----------------------------|-----------------------------------|
  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
  ------------------------------------------------------------------

A summary of the ``@optname`` entries is as follows::

    SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
                             associated after (optionally) calling
                             bind(3).
                             sctp_bindx(3) adds a set of bind
                             addresses on a socket.

    SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
                            addresses for reaching a peer
                            (multi-homed).
                            sctp_connectx(3) initiates a connection
                            on an SCTP socket using multiple
                            destination addresses.

    SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
                            sendmsg(2) or sctp_sendmsg(3) on a new asociation.

    SCTP_PRIMARY_ADDR     - Set local primary address.

    SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
                                 association primary.

    SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
    SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.


To support Dynamic Address Reconfiguration the following parameters must be
enabled on both endpoints (or use the appropriate **setsockopt**\(2))::

    /proc/sys/net/sctp/addip_enable
    /proc/sys/net/sctp/addip_noauth_enable

then the following *_PARAM_*'s are sent to the peer in an
ASCONF chunk when the corresponding ``@optname``'s are present::

          @optname                      ASCONF Parameter
         ----------                    ------------------
    SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
    SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY


security_sctp_sk_clone()
-------------------------
Called whenever a new socket is created by **accept**\(2)
(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
calls **sctp_peeloff**\(3).
::

    @ep - pointer to current sctp endpoint structure.
    @sk - pointer to current sock structure.
    @sk - pointer to new sock structure.


security_inet_conn_established()
---------------------------------
Called when a COOKIE ACK is received::

    @sk  - pointer to sock structure.
    @skb - pointer to skbuff of the COOKIE ACK packet.


Security Hooks used for Association Establishment
=================================================
The following diagram shows the use of ``security_sctp_bind_connect()``,
``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
establishing an association.
::

      SCTP endpoint "A"                                SCTP endpoint "Z"
      =================                                =================
    sctp_sf_do_prm_asoc()
 Association setup can be initiated
 by a connect(2), sctp_connectx(3),
 sendmsg(2) or sctp_sendmsg(3).
 These will result in a call to
 security_sctp_bind_connect() to
 initiate an association to
 SCTP peer endpoint "Z".
         INIT --------------------------------------------->
                                                   sctp_sf_do_5_1B_init()
                                                 Respond to an INIT chunk.
                                             SCTP peer endpoint "A" is
                                             asking for an association. Call
                                             security_sctp_assoc_request()
                                             to set the peer label if first
                                             association.
                                             If not first association, check
                                             whether allowed, IF so send:
          <----------------------------------------------- INIT ACK
          |                                  ELSE audit event and silently
          |                                       discard the packet.
          |
    COOKIE ECHO ------------------------------------------>
                                                          |
                                                          |
                                                          |
          <------------------------------------------- COOKIE ACK
          |                                               |
    sctp_sf_do_5_1E_ca                                    |
 Call security_inet_conn_established()                    |
 to set the peer label.                                   |
          |                                               |
          |                               If SCTP_SOCKET_TCP or peeled off
          |                               socket security_sctp_sk_clone() is
          |                               called to clone the new socket.
          |                                               |
      ESTABLISHED                                    ESTABLISHED
          |                                               |
    ------------------------------------------------------------------
    |                     Association Established                    |
    ------------------------------------------------------------------
Commit	Line	Data
72e89f50 RH	1	SCTP LSM Support
	2	================
	3
	4	For security module support, three SCTP specific hooks have been implemented::
	5
	6	security_sctp_assoc_request()
	7	security_sctp_bind_connect()
	8	security_sctp_sk_clone()
	9
	10	Also the following security hook has been utilised::
	11
	12	security_inet_conn_established()
	13
	14	The usage of these hooks are described below with the SELinux implementation
	15	described in ``Documentation/security/SELinux-sctp.rst``
	16
	17
	18	security_sctp_assoc_request()
	19	-----------------------------
	20	Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
	21	security module. Returns 0 on success, error on failure.
	22	::
	23
	24	@ep - pointer to sctp endpoint structure.
	25	@skb - pointer to skbuff of association packet.
	26
	27
	28	security_sctp_bind_connect()
	29	-----------------------------
	30	Passes one or more ipv4/ipv6 addresses to the security module for validation
	31	based on the ``@optname`` that will result in either a bind or connect
	32	service as shown in the permission check tables below.
	33	Returns 0 on success, error on failure.
	34	::
	35
	36	@sk - Pointer to sock structure.
	37	@optname - Name of the option to validate.
	38	@address - One or more ipv4 / ipv6 addresses.
	39	@addrlen - The total length of address(s). This is calculated on each
	40	ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
	41	sizeof(struct sockaddr_in6).
	42
	43	------------------------------------------------------------------
	44	\| BIND Type Checks \|
	45	\| @optname \| @address contains \|
	46	\|----------------------------\|-----------------------------------\|
	47	\| SCTP_SOCKOPT_BINDX_ADD \| One or more ipv4 / ipv6 addresses \|
	48	\| SCTP_PRIMARY_ADDR \| Single ipv4 or ipv6 address \|
	49	\| SCTP_SET_PEER_PRIMARY_ADDR \| Single ipv4 or ipv6 address \|
	50	------------------------------------------------------------------
	51
	52	------------------------------------------------------------------
	53	\| CONNECT Type Checks \|
	54	\| @optname \| @address contains \|
	55	\|----------------------------\|-----------------------------------\|
	56	\| SCTP_SOCKOPT_CONNECTX \| One or more ipv4 / ipv6 addresses \|
	57	\| SCTP_PARAM_ADD_IP \| One or more ipv4 / ipv6 addresses \|
	58	\| SCTP_SENDMSG_CONNECT \| Single ipv4 or ipv6 address \|
	59	\| SCTP_PARAM_SET_PRIMARY \| Single ipv4 or ipv6 address \|
	60	------------------------------------------------------------------
	61
	62	A summary of the ``@optname`` entries is as follows::
	63
	64	SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
65	associated after (optionally) calling
66	bind(3).
67	sctp_bindx(3) adds a set of bind
68	addresses on a socket.
69
70	SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
71	addresses for reaching a peer
72	(multi-homed).
73	sctp_connectx(3) initiates a connection
74	on an SCTP socket using multiple
75	destination addresses.
76
77	SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a
78	sendmsg(2) or sctp_sendmsg(3) on a new asociation.
79
80	SCTP_PRIMARY_ADDR - Set local primary address.
81
82	SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
83	association primary.
84
85	SCTP_PARAM_ADD_IP - These are used when Dynamic Address
86	SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
87
88
89	To support Dynamic Address Reconfiguration the following parameters must be
90	enabled on both endpoints (or use the appropriate setsockopt\(2))::
91
92	/proc/sys/net/sctp/addip_enable
93	/proc/sys/net/sctp/addip_noauth_enable
94
95	then the following _PARAM_'s are sent to the peer in an
96	ASCONF chunk when the corresponding ``@optname``'s are present::
97
98	@optname ASCONF Parameter
99	---------- ------------------
100	SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP
101	SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
102
103
104	security_sctp_sk_clone()
105	-------------------------
106	Called whenever a new socket is created by accept\(2)
107	(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
108	calls sctp_peeloff\(3).
109	::
110
111	@ep - pointer to current sctp endpoint structure.
112	@sk - pointer to current sock structure.
113	@sk - pointer to new sock structure.
114
115
116	security_inet_conn_established()
117	---------------------------------
118	Called when a COOKIE ACK is received::
119
120	@sk - pointer to sock structure.
121	@skb - pointer to skbuff of the COOKIE ACK packet.
122
123
124	Security Hooks used for Association Establishment
125	=================================================
126	The following diagram shows the use of ``security_sctp_bind_connect()``,
127	``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
128	establishing an association.
129	::
130
131	SCTP endpoint "A" SCTP endpoint "Z"
132	================= =================
133	sctp_sf_do_prm_asoc()
134	Association setup can be initiated
135	by a connect(2), sctp_connectx(3),
136	sendmsg(2) or sctp_sendmsg(3).
137	These will result in a call to
138	security_sctp_bind_connect() to
139	initiate an association to
140	SCTP peer endpoint "Z".
141	INIT --------------------------------------------->
142	sctp_sf_do_5_1B_init()
143	Respond to an INIT chunk.
144	SCTP peer endpoint "A" is
145	asking for an association. Call
146	security_sctp_assoc_request()
147	to set the peer label if first
148	association.
149	If not first association, check
150	whether allowed, IF so send:
151	<----------------------------------------------- INIT ACK
152	\| ELSE audit event and silently
153	\| discard the packet.
154	\|
155	COOKIE ECHO ------------------------------------------>
156	\|
157	\|
158	\|
159	<------------------------------------------- COOKIE ACK
160	\| \|
161	sctp_sf_do_5_1E_ca \|
162	Call security_inet_conn_established() \|
163	to set the peer label. \|
164	\| \|
165	\| If SCTP_SOCKET_TCP or peeled off
166	\| socket security_sctp_sk_clone() is
167	\| called to clone the new socket.
168	\| \|
169	ESTABLISHED ESTABLISHED
170	\| \|
171	------------------------------------------------------------------
172	\| Association Established \|
173	------------------------------------------------------------------
174
175