Commit | Line | Data |
---|---|---|
d61330c6 KC |
1 | .. SPDX-License-Identifier: GPL-2.0 |
2 | ||
3 | ==== | |
4 | SCTP | |
5 | ==== | |
6 | ||
72e89f50 RH |
7 | SCTP LSM Support |
8 | ================ | |
9 | ||
d61330c6 KC |
10 | Security Hooks |
11 | -------------- | |
12 | ||
72e89f50 RH |
13 | For security module support, three SCTP specific hooks have been implemented:: |
14 | ||
15 | security_sctp_assoc_request() | |
16 | security_sctp_bind_connect() | |
17 | security_sctp_sk_clone() | |
18 | ||
19 | Also the following security hook has been utilised:: | |
20 | ||
21 | security_inet_conn_established() | |
22 | ||
23 | The usage of these hooks are described below with the SELinux implementation | |
d61330c6 | 24 | described in the `SCTP SELinux Support`_ chapter. |
72e89f50 RH |
25 | |
26 | ||
27 | security_sctp_assoc_request() | |
d61330c6 | 28 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
72e89f50 RH |
29 | Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the |
30 | security module. Returns 0 on success, error on failure. | |
31 | :: | |
32 | ||
33 | @ep - pointer to sctp endpoint structure. | |
34 | @skb - pointer to skbuff of association packet. | |
35 | ||
36 | ||
37 | security_sctp_bind_connect() | |
d61330c6 | 38 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
72e89f50 RH |
39 | Passes one or more ipv4/ipv6 addresses to the security module for validation |
40 | based on the ``@optname`` that will result in either a bind or connect | |
41 | service as shown in the permission check tables below. | |
42 | Returns 0 on success, error on failure. | |
43 | :: | |
44 | ||
45 | @sk - Pointer to sock structure. | |
46 | @optname - Name of the option to validate. | |
47 | @address - One or more ipv4 / ipv6 addresses. | |
48 | @addrlen - The total length of address(s). This is calculated on each | |
49 | ipv4 or ipv6 address using sizeof(struct sockaddr_in) or | |
50 | sizeof(struct sockaddr_in6). | |
51 | ||
52 | ------------------------------------------------------------------ | |
53 | | BIND Type Checks | | |
54 | | @optname | @address contains | | |
55 | |----------------------------|-----------------------------------| | |
56 | | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | | |
57 | | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | | |
58 | | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | | |
59 | ------------------------------------------------------------------ | |
60 | ||
61 | ------------------------------------------------------------------ | |
62 | | CONNECT Type Checks | | |
63 | | @optname | @address contains | | |
64 | |----------------------------|-----------------------------------| | |
65 | | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | | |
66 | | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | | |
67 | | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | | |
68 | | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | | |
69 | ------------------------------------------------------------------ | |
70 | ||
71 | A summary of the ``@optname`` entries is as follows:: | |
72 | ||
73 | SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be | |
74 | associated after (optionally) calling | |
75 | bind(3). | |
76 | sctp_bindx(3) adds a set of bind | |
77 | addresses on a socket. | |
78 | ||
79 | SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple | |
80 | addresses for reaching a peer | |
81 | (multi-homed). | |
82 | sctp_connectx(3) initiates a connection | |
83 | on an SCTP socket using multiple | |
84 | destination addresses. | |
85 | ||
86 | SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a | |
87 | sendmsg(2) or sctp_sendmsg(3) on a new asociation. | |
88 | ||
89 | SCTP_PRIMARY_ADDR - Set local primary address. | |
90 | ||
91 | SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as | |
92 | association primary. | |
93 | ||
94 | SCTP_PARAM_ADD_IP - These are used when Dynamic Address | |
95 | SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below. | |
96 | ||
97 | ||
98 | To support Dynamic Address Reconfiguration the following parameters must be | |
99 | enabled on both endpoints (or use the appropriate **setsockopt**\(2)):: | |
100 | ||
101 | /proc/sys/net/sctp/addip_enable | |
102 | /proc/sys/net/sctp/addip_noauth_enable | |
103 | ||
104 | then the following *_PARAM_*'s are sent to the peer in an | |
105 | ASCONF chunk when the corresponding ``@optname``'s are present:: | |
106 | ||
107 | @optname ASCONF Parameter | |
108 | ---------- ------------------ | |
109 | SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP | |
110 | SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY | |
111 | ||
112 | ||
113 | security_sctp_sk_clone() | |
d61330c6 | 114 | ~~~~~~~~~~~~~~~~~~~~~~~~ |
72e89f50 RH |
115 | Called whenever a new socket is created by **accept**\(2) |
116 | (i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace | |
117 | calls **sctp_peeloff**\(3). | |
118 | :: | |
119 | ||
120 | @ep - pointer to current sctp endpoint structure. | |
121 | @sk - pointer to current sock structure. | |
122 | @sk - pointer to new sock structure. | |
123 | ||
124 | ||
125 | security_inet_conn_established() | |
d61330c6 | 126 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
72e89f50 RH |
127 | Called when a COOKIE ACK is received:: |
128 | ||
129 | @sk - pointer to sock structure. | |
130 | @skb - pointer to skbuff of the COOKIE ACK packet. | |
131 | ||
132 | ||
133 | Security Hooks used for Association Establishment | |
d61330c6 KC |
134 | ------------------------------------------------- |
135 | ||
72e89f50 RH |
136 | The following diagram shows the use of ``security_sctp_bind_connect()``, |
137 | ``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when | |
138 | establishing an association. | |
139 | :: | |
140 | ||
141 | SCTP endpoint "A" SCTP endpoint "Z" | |
142 | ================= ================= | |
143 | sctp_sf_do_prm_asoc() | |
144 | Association setup can be initiated | |
145 | by a connect(2), sctp_connectx(3), | |
146 | sendmsg(2) or sctp_sendmsg(3). | |
147 | These will result in a call to | |
148 | security_sctp_bind_connect() to | |
149 | initiate an association to | |
150 | SCTP peer endpoint "Z". | |
151 | INIT ---------------------------------------------> | |
152 | sctp_sf_do_5_1B_init() | |
153 | Respond to an INIT chunk. | |
154 | SCTP peer endpoint "A" is | |
155 | asking for an association. Call | |
156 | security_sctp_assoc_request() | |
157 | to set the peer label if first | |
158 | association. | |
159 | If not first association, check | |
160 | whether allowed, IF so send: | |
161 | <----------------------------------------------- INIT ACK | |
162 | | ELSE audit event and silently | |
163 | | discard the packet. | |
164 | | | |
165 | COOKIE ECHO ------------------------------------------> | |
166 | | | |
167 | | | |
168 | | | |
169 | <------------------------------------------- COOKIE ACK | |
170 | | | | |
171 | sctp_sf_do_5_1E_ca | | |
172 | Call security_inet_conn_established() | | |
173 | to set the peer label. | | |
174 | | | | |
175 | | If SCTP_SOCKET_TCP or peeled off | |
176 | | socket security_sctp_sk_clone() is | |
177 | | called to clone the new socket. | |
178 | | | | |
179 | ESTABLISHED ESTABLISHED | |
180 | | | | |
181 | ------------------------------------------------------------------ | |
182 | | Association Established | | |
183 | ------------------------------------------------------------------ | |
184 | ||
185 | ||
d61330c6 KC |
186 | SCTP SELinux Support |
187 | ==================== | |
188 | ||
189 | Security Hooks | |
190 | -------------- | |
191 | ||
192 | The `SCTP LSM Support`_ chapter above describes the following SCTP security | |
193 | hooks with the SELinux specifics expanded below:: | |
194 | ||
195 | security_sctp_assoc_request() | |
196 | security_sctp_bind_connect() | |
197 | security_sctp_sk_clone() | |
198 | security_inet_conn_established() | |
199 | ||
200 | ||
201 | security_sctp_assoc_request() | |
202 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
203 | Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the | |
204 | security module. Returns 0 on success, error on failure. | |
205 | :: | |
206 | ||
207 | @ep - pointer to sctp endpoint structure. | |
208 | @skb - pointer to skbuff of association packet. | |
209 | ||
210 | The security module performs the following operations: | |
211 | IF this is the first association on ``@ep->base.sk``, then set the peer | |
212 | sid to that in ``@skb``. This will ensure there is only one peer sid | |
213 | assigned to ``@ep->base.sk`` that may support multiple associations. | |
214 | ||
215 | ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid`` | |
216 | to determine whether the association should be allowed or denied. | |
217 | ||
218 | Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with | |
219 | MLS portion taken from ``@skb peer sid``. This will be used by SCTP | |
220 | TCP style sockets and peeled off connections as they cause a new socket | |
221 | to be generated. | |
222 | ||
223 | If IP security options are configured (CIPSO/CALIPSO), then the ip | |
224 | options are set on the socket. | |
225 | ||
226 | ||
227 | security_sctp_bind_connect() | |
228 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
229 | Checks permissions required for ipv4/ipv6 addresses based on the ``@optname`` | |
230 | as follows:: | |
231 | ||
232 | ------------------------------------------------------------------ | |
233 | | BIND Permission Checks | | |
234 | | @optname | @address contains | | |
235 | |----------------------------|-----------------------------------| | |
236 | | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | | |
237 | | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | | |
238 | | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | | |
239 | ------------------------------------------------------------------ | |
240 | ||
241 | ------------------------------------------------------------------ | |
242 | | CONNECT Permission Checks | | |
243 | | @optname | @address contains | | |
244 | |----------------------------|-----------------------------------| | |
245 | | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | | |
246 | | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | | |
247 | | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | | |
248 | | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | | |
249 | ------------------------------------------------------------------ | |
250 | ||
251 | ||
252 | `SCTP LSM Support`_ gives a summary of the ``@optname`` | |
253 | entries and also describes ASCONF chunk processing when Dynamic Address | |
254 | Reconfiguration is enabled. | |
255 | ||
256 | ||
257 | security_sctp_sk_clone() | |
258 | ~~~~~~~~~~~~~~~~~~~~~~~~ | |
259 | Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style | |
260 | socket) or when a socket is 'peeled off' e.g userspace calls | |
261 | **sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new | |
262 | sockets sid and peer sid to that contained in the ``@ep sid`` and | |
263 | ``@ep peer sid`` respectively. | |
264 | :: | |
265 | ||
266 | @ep - pointer to current sctp endpoint structure. | |
267 | @sk - pointer to current sock structure. | |
268 | @sk - pointer to new sock structure. | |
269 | ||
270 | ||
271 | security_inet_conn_established() | |
272 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ | |
273 | Called when a COOKIE ACK is received where it sets the connection's peer sid | |
274 | to that in ``@skb``:: | |
275 | ||
276 | @sk - pointer to sock structure. | |
277 | @skb - pointer to skbuff of the COOKIE ACK packet. | |
278 | ||
279 | ||
280 | Policy Statements | |
281 | ----------------- | |
282 | The following class and permissions to support SCTP are available within the | |
283 | kernel:: | |
284 | ||
285 | class sctp_socket inherits socket { node_bind } | |
286 | ||
287 | whenever the following policy capability is enabled:: | |
288 | ||
289 | policycap extended_socket_class; | |
290 | ||
291 | SELinux SCTP support adds the ``name_connect`` permission for connecting | |
292 | to a specific port type and the ``association`` permission that is explained | |
293 | in the section below. | |
294 | ||
295 | If userspace tools have been updated, SCTP will support the ``portcon`` | |
296 | statement as shown in the following example:: | |
297 | ||
298 | portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0 | |
299 | ||
300 | ||
301 | SCTP Peer Labeling | |
302 | ------------------ | |
303 | An SCTP socket will only have one peer label assigned to it. This will be | |
304 | assigned during the establishment of the first association. Any further | |
305 | associations on this socket will have their packet peer label compared to | |
306 | the sockets peer label, and only if they are different will the | |
307 | ``association`` permission be validated. This is validated by checking the | |
308 | socket peer sid against the received packets peer sid to determine whether | |
309 | the association should be allowed or denied. | |
310 | ||
311 | NOTES: | |
312 | 1) If peer labeling is not enabled, then the peer context will always be | |
313 | ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy). | |
314 | ||
315 | 2) As SCTP can support more than one transport address per endpoint | |
316 | (multi-homing) on a single socket, it is possible to configure policy | |
317 | and NetLabel to provide different peer labels for each of these. As the | |
318 | socket peer label is determined by the first associations transport | |
319 | address, it is recommended that all peer labels are consistent. | |
320 | ||
321 | 3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer | |
322 | context. | |
323 | ||
324 | 4) While not SCTP specific, be aware when using NetLabel that if a label | |
325 | is assigned to a specific interface, and that interface 'goes down', | |
326 | then the NetLabel service will remove the entry. Therefore ensure that | |
327 | the network startup scripts call **netlabelctl**\(8) to set the required | |
328 | label (see **netlabel-config**\(8) helper script for details). | |
329 | ||
330 | 5) The NetLabel SCTP peer labeling rules apply as discussed in the following | |
331 | set of posts tagged "netlabel" at: http://www.paul-moore.com/blog/t. | |
332 | ||
333 | 6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)`` | |
334 | CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)`` | |
335 | ||
336 | Note the following when testing CIPSO/CALIPSO: | |
337 | a) CIPSO will send an ICMP packet if an SCTP packet cannot be | |
338 | delivered because of an invalid label. | |
339 | b) CALIPSO does not send an ICMP packet, just silently discards it. | |
340 | ||
341 | 7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been | |
342 | implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)), | |
343 | although the kernel supports SCTP/IPSEC. |