^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) .. SPDX-License-Identifier: GPL-2.0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3) ====
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) SCTP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) ====
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7) SCTP LSM Support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) ================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10) Security Hooks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) --------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) For security module support, three SCTP specific hooks have been implemented::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) security_sctp_assoc_request()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) security_sctp_bind_connect()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17) security_sctp_sk_clone()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19) Also the following security hook has been utilised::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21) security_inet_conn_established()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23) The usage of these hooks are described below with the SELinux implementation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) described in the `SCTP SELinux Support`_ chapter.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) security_sctp_assoc_request()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) security module. Returns 0 on success, error on failure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) @ep - pointer to sctp endpoint structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) @skb - pointer to skbuff of association packet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) security_sctp_bind_connect()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) Passes one or more ipv4/ipv6 addresses to the security module for validation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40) based on the ``@optname`` that will result in either a bind or connect
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) service as shown in the permission check tables below.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) Returns 0 on success, error on failure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) @sk - Pointer to sock structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) @optname - Name of the option to validate.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) @address - One or more ipv4 / ipv6 addresses.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) @addrlen - The total length of address(s). This is calculated on each
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) sizeof(struct sockaddr_in6).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) | BIND Type Checks |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) | @optname | @address contains |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) |----------------------------|-----------------------------------|
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62) | CONNECT Type Checks |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) | @optname | @address contains |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64) |----------------------------|-----------------------------------|
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68) | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) A summary of the ``@optname`` entries is as follows::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74) associated after (optionally) calling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) bind(3).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) sctp_bindx(3) adds a set of bind
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) addresses on a socket.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) addresses for reaching a peer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) (multi-homed).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) sctp_connectx(3) initiates a connection
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) on an SCTP socket using multiple
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) destination addresses.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86) SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) sendmsg(2) or sctp_sendmsg(3) on a new asociation.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89) SCTP_PRIMARY_ADDR - Set local primary address.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91) SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) association primary.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) SCTP_PARAM_ADD_IP - These are used when Dynamic Address
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95) SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) To support Dynamic Address Reconfiguration the following parameters must be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) /proc/sys/net/sctp/addip_enable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) /proc/sys/net/sctp/addip_noauth_enable
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) then the following *_PARAM_*'s are sent to the peer in an
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) ASCONF chunk when the corresponding ``@optname``'s are present::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) @optname ASCONF Parameter
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) ---------- ------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) security_sctp_sk_clone()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) ~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) Called whenever a new socket is created by **accept**\(2)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) (i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) calls **sctp_peeloff**\(3).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) @ep - pointer to current sctp endpoint structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) @sk - pointer to current sock structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) @sk - pointer to new sock structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) security_inet_conn_established()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) Called when a COOKIE ACK is received::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) @sk - pointer to sock structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) @skb - pointer to skbuff of the COOKIE ACK packet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) Security Hooks used for Association Establishment
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) -------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) The following diagram shows the use of ``security_sctp_bind_connect()``,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) ``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) establishing an association.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) SCTP endpoint "A" SCTP endpoint "Z"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) ================= =================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) sctp_sf_do_prm_asoc()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) Association setup can be initiated
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) by a connect(2), sctp_connectx(3),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) sendmsg(2) or sctp_sendmsg(3).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) These will result in a call to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) security_sctp_bind_connect() to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) initiate an association to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) SCTP peer endpoint "Z".
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) INIT --------------------------------------------->
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) sctp_sf_do_5_1B_init()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) Respond to an INIT chunk.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) SCTP peer endpoint "A" is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) asking for an association. Call
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) security_sctp_assoc_request()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) to set the peer label if first
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) association.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) If not first association, check
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) whether allowed, IF so send:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) <----------------------------------------------- INIT ACK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) | ELSE audit event and silently
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) | discard the packet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) COOKIE ECHO ------------------------------------------>
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) <------------------------------------------- COOKIE ACK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) | |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) sctp_sf_do_5_1E_ca |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) Call security_inet_conn_established() |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) to set the peer label. |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) | |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) | If SCTP_SOCKET_TCP or peeled off
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) | socket security_sctp_sk_clone() is
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) | called to clone the new socket.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) | |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) ESTABLISHED ESTABLISHED
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) | |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) | Association Established |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) SCTP SELinux Support
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) ====================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) Security Hooks
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) --------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) The `SCTP LSM Support`_ chapter above describes the following SCTP security
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) hooks with the SELinux specifics expanded below::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) security_sctp_assoc_request()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) security_sctp_bind_connect()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) security_sctp_sk_clone()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) security_inet_conn_established()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) security_sctp_assoc_request()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) security module. Returns 0 on success, error on failure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) @ep - pointer to sctp endpoint structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) @skb - pointer to skbuff of association packet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) The security module performs the following operations:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) IF this is the first association on ``@ep->base.sk``, then set the peer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) sid to that in ``@skb``. This will ensure there is only one peer sid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) assigned to ``@ep->base.sk`` that may support multiple associations.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) to determine whether the association should be allowed or denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) MLS portion taken from ``@skb peer sid``. This will be used by SCTP
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) TCP style sockets and peeled off connections as they cause a new socket
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) to be generated.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) If IP security options are configured (CIPSO/CALIPSO), then the ip
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) options are set on the socket.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) security_sctp_bind_connect()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) as follows::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) | BIND Permission Checks |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) | @optname | @address contains |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) |----------------------------|-----------------------------------|
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) | CONNECT Permission Checks |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) | @optname | @address contains |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) |----------------------------|-----------------------------------|
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) ------------------------------------------------------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) `SCTP LSM Support`_ gives a summary of the ``@optname``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) entries and also describes ASCONF chunk processing when Dynamic Address
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) Reconfiguration is enabled.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 257) security_sctp_sk_clone()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 258) ~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 259) Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 260) socket) or when a socket is 'peeled off' e.g userspace calls
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 261) **sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 262) sockets sid and peer sid to that contained in the ``@ep sid`` and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 263) ``@ep peer sid`` respectively.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 264) ::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 265)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 266) @ep - pointer to current sctp endpoint structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 267) @sk - pointer to current sock structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 268) @sk - pointer to new sock structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 269)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 270)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 271) security_inet_conn_established()
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 272) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 273) Called when a COOKIE ACK is received where it sets the connection's peer sid
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 274) to that in ``@skb``::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 275)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 276) @sk - pointer to sock structure.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 277) @skb - pointer to skbuff of the COOKIE ACK packet.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 278)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 279)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 280) Policy Statements
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 281) -----------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 282) The following class and permissions to support SCTP are available within the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 283) kernel::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 284)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 285) class sctp_socket inherits socket { node_bind }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 286)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 287) whenever the following policy capability is enabled::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 288)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 289) policycap extended_socket_class;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 290)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 291) SELinux SCTP support adds the ``name_connect`` permission for connecting
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 292) to a specific port type and the ``association`` permission that is explained
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 293) in the section below.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 294)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 295) If userspace tools have been updated, SCTP will support the ``portcon``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 296) statement as shown in the following example::
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 297)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 298) portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 299)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 300)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 301) SCTP Peer Labeling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 302) ------------------
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 303) An SCTP socket will only have one peer label assigned to it. This will be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 304) assigned during the establishment of the first association. Any further
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 305) associations on this socket will have their packet peer label compared to
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 306) the sockets peer label, and only if they are different will the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 307) ``association`` permission be validated. This is validated by checking the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 308) socket peer sid against the received packets peer sid to determine whether
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 309) the association should be allowed or denied.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 310)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 311) NOTES:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 312) 1) If peer labeling is not enabled, then the peer context will always be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 313) ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 314)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 315) 2) As SCTP can support more than one transport address per endpoint
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 316) (multi-homing) on a single socket, it is possible to configure policy
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 317) and NetLabel to provide different peer labels for each of these. As the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 318) socket peer label is determined by the first associations transport
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 319) address, it is recommended that all peer labels are consistent.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 320)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 321) 3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 322) context.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 323)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 324) 4) While not SCTP specific, be aware when using NetLabel that if a label
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 325) is assigned to a specific interface, and that interface 'goes down',
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 326) then the NetLabel service will remove the entry. Therefore ensure that
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 327) the network startup scripts call **netlabelctl**\(8) to set the required
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 328) label (see **netlabel-config**\(8) helper script for details).
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 329)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 330) 5) The NetLabel SCTP peer labeling rules apply as discussed in the following
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 331) set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 332)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 333) 6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 334) CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 335)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 336) Note the following when testing CIPSO/CALIPSO:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 337) a) CIPSO will send an ICMP packet if an SCTP packet cannot be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 338) delivered because of an invalid label.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 339) b) CALIPSO does not send an ICMP packet, just silently discards it.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 340)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 341) 7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 342) implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 343) although the kernel supports SCTP/IPSEC.
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags