1*4882a593Smuzhiyun.. SPDX-License-Identifier: GPL-2.0 2*4882a593Smuzhiyun 3*4882a593Smuzhiyun==== 4*4882a593SmuzhiyunSCTP 5*4882a593Smuzhiyun==== 6*4882a593Smuzhiyun 7*4882a593SmuzhiyunSCTP LSM Support 8*4882a593Smuzhiyun================ 9*4882a593Smuzhiyun 10*4882a593SmuzhiyunSecurity Hooks 11*4882a593Smuzhiyun-------------- 12*4882a593Smuzhiyun 13*4882a593SmuzhiyunFor security module support, three SCTP specific hooks have been implemented:: 14*4882a593Smuzhiyun 15*4882a593Smuzhiyun security_sctp_assoc_request() 16*4882a593Smuzhiyun security_sctp_bind_connect() 17*4882a593Smuzhiyun security_sctp_sk_clone() 18*4882a593Smuzhiyun 19*4882a593SmuzhiyunAlso the following security hook has been utilised:: 20*4882a593Smuzhiyun 21*4882a593Smuzhiyun security_inet_conn_established() 22*4882a593Smuzhiyun 23*4882a593SmuzhiyunThe usage of these hooks are described below with the SELinux implementation 24*4882a593Smuzhiyundescribed in the `SCTP SELinux Support`_ chapter. 25*4882a593Smuzhiyun 26*4882a593Smuzhiyun 27*4882a593Smuzhiyunsecurity_sctp_assoc_request() 28*4882a593Smuzhiyun~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 29*4882a593SmuzhiyunPasses the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the 30*4882a593Smuzhiyunsecurity module. Returns 0 on success, error on failure. 31*4882a593Smuzhiyun:: 32*4882a593Smuzhiyun 33*4882a593Smuzhiyun @ep - pointer to sctp endpoint structure. 34*4882a593Smuzhiyun @skb - pointer to skbuff of association packet. 35*4882a593Smuzhiyun 36*4882a593Smuzhiyun 37*4882a593Smuzhiyunsecurity_sctp_bind_connect() 38*4882a593Smuzhiyun~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 39*4882a593SmuzhiyunPasses one or more ipv4/ipv6 addresses to the security module for validation 40*4882a593Smuzhiyunbased on the ``@optname`` that will result in either a bind or connect 41*4882a593Smuzhiyunservice as shown in the permission check tables below. 42*4882a593SmuzhiyunReturns 0 on success, error on failure. 43*4882a593Smuzhiyun:: 44*4882a593Smuzhiyun 45*4882a593Smuzhiyun @sk - Pointer to sock structure. 46*4882a593Smuzhiyun @optname - Name of the option to validate. 47*4882a593Smuzhiyun @address - One or more ipv4 / ipv6 addresses. 48*4882a593Smuzhiyun @addrlen - The total length of address(s). This is calculated on each 49*4882a593Smuzhiyun ipv4 or ipv6 address using sizeof(struct sockaddr_in) or 50*4882a593Smuzhiyun sizeof(struct sockaddr_in6). 51*4882a593Smuzhiyun 52*4882a593Smuzhiyun ------------------------------------------------------------------ 53*4882a593Smuzhiyun | BIND Type Checks | 54*4882a593Smuzhiyun | @optname | @address contains | 55*4882a593Smuzhiyun |----------------------------|-----------------------------------| 56*4882a593Smuzhiyun | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | 57*4882a593Smuzhiyun | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | 58*4882a593Smuzhiyun | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | 59*4882a593Smuzhiyun ------------------------------------------------------------------ 60*4882a593Smuzhiyun 61*4882a593Smuzhiyun ------------------------------------------------------------------ 62*4882a593Smuzhiyun | CONNECT Type Checks | 63*4882a593Smuzhiyun | @optname | @address contains | 64*4882a593Smuzhiyun |----------------------------|-----------------------------------| 65*4882a593Smuzhiyun | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | 66*4882a593Smuzhiyun | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | 67*4882a593Smuzhiyun | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | 68*4882a593Smuzhiyun | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | 69*4882a593Smuzhiyun ------------------------------------------------------------------ 70*4882a593Smuzhiyun 71*4882a593SmuzhiyunA summary of the ``@optname`` entries is as follows:: 72*4882a593Smuzhiyun 73*4882a593Smuzhiyun SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be 74*4882a593Smuzhiyun associated after (optionally) calling 75*4882a593Smuzhiyun bind(3). 76*4882a593Smuzhiyun sctp_bindx(3) adds a set of bind 77*4882a593Smuzhiyun addresses on a socket. 78*4882a593Smuzhiyun 79*4882a593Smuzhiyun SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple 80*4882a593Smuzhiyun addresses for reaching a peer 81*4882a593Smuzhiyun (multi-homed). 82*4882a593Smuzhiyun sctp_connectx(3) initiates a connection 83*4882a593Smuzhiyun on an SCTP socket using multiple 84*4882a593Smuzhiyun destination addresses. 85*4882a593Smuzhiyun 86*4882a593Smuzhiyun SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a 87*4882a593Smuzhiyun sendmsg(2) or sctp_sendmsg(3) on a new asociation. 88*4882a593Smuzhiyun 89*4882a593Smuzhiyun SCTP_PRIMARY_ADDR - Set local primary address. 90*4882a593Smuzhiyun 91*4882a593Smuzhiyun SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as 92*4882a593Smuzhiyun association primary. 93*4882a593Smuzhiyun 94*4882a593Smuzhiyun SCTP_PARAM_ADD_IP - These are used when Dynamic Address 95*4882a593Smuzhiyun SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below. 96*4882a593Smuzhiyun 97*4882a593Smuzhiyun 98*4882a593SmuzhiyunTo support Dynamic Address Reconfiguration the following parameters must be 99*4882a593Smuzhiyunenabled on both endpoints (or use the appropriate **setsockopt**\(2)):: 100*4882a593Smuzhiyun 101*4882a593Smuzhiyun /proc/sys/net/sctp/addip_enable 102*4882a593Smuzhiyun /proc/sys/net/sctp/addip_noauth_enable 103*4882a593Smuzhiyun 104*4882a593Smuzhiyunthen the following *_PARAM_*'s are sent to the peer in an 105*4882a593SmuzhiyunASCONF chunk when the corresponding ``@optname``'s are present:: 106*4882a593Smuzhiyun 107*4882a593Smuzhiyun @optname ASCONF Parameter 108*4882a593Smuzhiyun ---------- ------------------ 109*4882a593Smuzhiyun SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP 110*4882a593Smuzhiyun SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY 111*4882a593Smuzhiyun 112*4882a593Smuzhiyun 113*4882a593Smuzhiyunsecurity_sctp_sk_clone() 114*4882a593Smuzhiyun~~~~~~~~~~~~~~~~~~~~~~~~ 115*4882a593SmuzhiyunCalled whenever a new socket is created by **accept**\(2) 116*4882a593Smuzhiyun(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace 117*4882a593Smuzhiyuncalls **sctp_peeloff**\(3). 118*4882a593Smuzhiyun:: 119*4882a593Smuzhiyun 120*4882a593Smuzhiyun @ep - pointer to current sctp endpoint structure. 121*4882a593Smuzhiyun @sk - pointer to current sock structure. 122*4882a593Smuzhiyun @sk - pointer to new sock structure. 123*4882a593Smuzhiyun 124*4882a593Smuzhiyun 125*4882a593Smuzhiyunsecurity_inet_conn_established() 126*4882a593Smuzhiyun~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 127*4882a593SmuzhiyunCalled when a COOKIE ACK is received:: 128*4882a593Smuzhiyun 129*4882a593Smuzhiyun @sk - pointer to sock structure. 130*4882a593Smuzhiyun @skb - pointer to skbuff of the COOKIE ACK packet. 131*4882a593Smuzhiyun 132*4882a593Smuzhiyun 133*4882a593SmuzhiyunSecurity Hooks used for Association Establishment 134*4882a593Smuzhiyun------------------------------------------------- 135*4882a593Smuzhiyun 136*4882a593SmuzhiyunThe following diagram shows the use of ``security_sctp_bind_connect()``, 137*4882a593Smuzhiyun``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when 138*4882a593Smuzhiyunestablishing an association. 139*4882a593Smuzhiyun:: 140*4882a593Smuzhiyun 141*4882a593Smuzhiyun SCTP endpoint "A" SCTP endpoint "Z" 142*4882a593Smuzhiyun ================= ================= 143*4882a593Smuzhiyun sctp_sf_do_prm_asoc() 144*4882a593Smuzhiyun Association setup can be initiated 145*4882a593Smuzhiyun by a connect(2), sctp_connectx(3), 146*4882a593Smuzhiyun sendmsg(2) or sctp_sendmsg(3). 147*4882a593Smuzhiyun These will result in a call to 148*4882a593Smuzhiyun security_sctp_bind_connect() to 149*4882a593Smuzhiyun initiate an association to 150*4882a593Smuzhiyun SCTP peer endpoint "Z". 151*4882a593Smuzhiyun INIT ---------------------------------------------> 152*4882a593Smuzhiyun sctp_sf_do_5_1B_init() 153*4882a593Smuzhiyun Respond to an INIT chunk. 154*4882a593Smuzhiyun SCTP peer endpoint "A" is 155*4882a593Smuzhiyun asking for an association. Call 156*4882a593Smuzhiyun security_sctp_assoc_request() 157*4882a593Smuzhiyun to set the peer label if first 158*4882a593Smuzhiyun association. 159*4882a593Smuzhiyun If not first association, check 160*4882a593Smuzhiyun whether allowed, IF so send: 161*4882a593Smuzhiyun <----------------------------------------------- INIT ACK 162*4882a593Smuzhiyun | ELSE audit event and silently 163*4882a593Smuzhiyun | discard the packet. 164*4882a593Smuzhiyun | 165*4882a593Smuzhiyun COOKIE ECHO ------------------------------------------> 166*4882a593Smuzhiyun | 167*4882a593Smuzhiyun | 168*4882a593Smuzhiyun | 169*4882a593Smuzhiyun <------------------------------------------- COOKIE ACK 170*4882a593Smuzhiyun | | 171*4882a593Smuzhiyun sctp_sf_do_5_1E_ca | 172*4882a593Smuzhiyun Call security_inet_conn_established() | 173*4882a593Smuzhiyun to set the peer label. | 174*4882a593Smuzhiyun | | 175*4882a593Smuzhiyun | If SCTP_SOCKET_TCP or peeled off 176*4882a593Smuzhiyun | socket security_sctp_sk_clone() is 177*4882a593Smuzhiyun | called to clone the new socket. 178*4882a593Smuzhiyun | | 179*4882a593Smuzhiyun ESTABLISHED ESTABLISHED 180*4882a593Smuzhiyun | | 181*4882a593Smuzhiyun ------------------------------------------------------------------ 182*4882a593Smuzhiyun | Association Established | 183*4882a593Smuzhiyun ------------------------------------------------------------------ 184*4882a593Smuzhiyun 185*4882a593Smuzhiyun 186*4882a593SmuzhiyunSCTP SELinux Support 187*4882a593Smuzhiyun==================== 188*4882a593Smuzhiyun 189*4882a593SmuzhiyunSecurity Hooks 190*4882a593Smuzhiyun-------------- 191*4882a593Smuzhiyun 192*4882a593SmuzhiyunThe `SCTP LSM Support`_ chapter above describes the following SCTP security 193*4882a593Smuzhiyunhooks with the SELinux specifics expanded below:: 194*4882a593Smuzhiyun 195*4882a593Smuzhiyun security_sctp_assoc_request() 196*4882a593Smuzhiyun security_sctp_bind_connect() 197*4882a593Smuzhiyun security_sctp_sk_clone() 198*4882a593Smuzhiyun security_inet_conn_established() 199*4882a593Smuzhiyun 200*4882a593Smuzhiyun 201*4882a593Smuzhiyunsecurity_sctp_assoc_request() 202*4882a593Smuzhiyun~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 203*4882a593SmuzhiyunPasses the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the 204*4882a593Smuzhiyunsecurity module. Returns 0 on success, error on failure. 205*4882a593Smuzhiyun:: 206*4882a593Smuzhiyun 207*4882a593Smuzhiyun @ep - pointer to sctp endpoint structure. 208*4882a593Smuzhiyun @skb - pointer to skbuff of association packet. 209*4882a593Smuzhiyun 210*4882a593SmuzhiyunThe security module performs the following operations: 211*4882a593Smuzhiyun IF this is the first association on ``@ep->base.sk``, then set the peer 212*4882a593Smuzhiyun sid to that in ``@skb``. This will ensure there is only one peer sid 213*4882a593Smuzhiyun assigned to ``@ep->base.sk`` that may support multiple associations. 214*4882a593Smuzhiyun 215*4882a593Smuzhiyun ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid`` 216*4882a593Smuzhiyun to determine whether the association should be allowed or denied. 217*4882a593Smuzhiyun 218*4882a593Smuzhiyun Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with 219*4882a593Smuzhiyun MLS portion taken from ``@skb peer sid``. This will be used by SCTP 220*4882a593Smuzhiyun TCP style sockets and peeled off connections as they cause a new socket 221*4882a593Smuzhiyun to be generated. 222*4882a593Smuzhiyun 223*4882a593Smuzhiyun If IP security options are configured (CIPSO/CALIPSO), then the ip 224*4882a593Smuzhiyun options are set on the socket. 225*4882a593Smuzhiyun 226*4882a593Smuzhiyun 227*4882a593Smuzhiyunsecurity_sctp_bind_connect() 228*4882a593Smuzhiyun~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 229*4882a593SmuzhiyunChecks permissions required for ipv4/ipv6 addresses based on the ``@optname`` 230*4882a593Smuzhiyunas follows:: 231*4882a593Smuzhiyun 232*4882a593Smuzhiyun ------------------------------------------------------------------ 233*4882a593Smuzhiyun | BIND Permission Checks | 234*4882a593Smuzhiyun | @optname | @address contains | 235*4882a593Smuzhiyun |----------------------------|-----------------------------------| 236*4882a593Smuzhiyun | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | 237*4882a593Smuzhiyun | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | 238*4882a593Smuzhiyun | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | 239*4882a593Smuzhiyun ------------------------------------------------------------------ 240*4882a593Smuzhiyun 241*4882a593Smuzhiyun ------------------------------------------------------------------ 242*4882a593Smuzhiyun | CONNECT Permission Checks | 243*4882a593Smuzhiyun | @optname | @address contains | 244*4882a593Smuzhiyun |----------------------------|-----------------------------------| 245*4882a593Smuzhiyun | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | 246*4882a593Smuzhiyun | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | 247*4882a593Smuzhiyun | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | 248*4882a593Smuzhiyun | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | 249*4882a593Smuzhiyun ------------------------------------------------------------------ 250*4882a593Smuzhiyun 251*4882a593Smuzhiyun 252*4882a593Smuzhiyun`SCTP LSM Support`_ gives a summary of the ``@optname`` 253*4882a593Smuzhiyunentries and also describes ASCONF chunk processing when Dynamic Address 254*4882a593SmuzhiyunReconfiguration is enabled. 255*4882a593Smuzhiyun 256*4882a593Smuzhiyun 257*4882a593Smuzhiyunsecurity_sctp_sk_clone() 258*4882a593Smuzhiyun~~~~~~~~~~~~~~~~~~~~~~~~ 259*4882a593SmuzhiyunCalled whenever a new socket is created by **accept**\(2) (i.e. a TCP style 260*4882a593Smuzhiyunsocket) or when a socket is 'peeled off' e.g userspace calls 261*4882a593Smuzhiyun**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new 262*4882a593Smuzhiyunsockets sid and peer sid to that contained in the ``@ep sid`` and 263*4882a593Smuzhiyun``@ep peer sid`` respectively. 264*4882a593Smuzhiyun:: 265*4882a593Smuzhiyun 266*4882a593Smuzhiyun @ep - pointer to current sctp endpoint structure. 267*4882a593Smuzhiyun @sk - pointer to current sock structure. 268*4882a593Smuzhiyun @sk - pointer to new sock structure. 269*4882a593Smuzhiyun 270*4882a593Smuzhiyun 271*4882a593Smuzhiyunsecurity_inet_conn_established() 272*4882a593Smuzhiyun~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 273*4882a593SmuzhiyunCalled when a COOKIE ACK is received where it sets the connection's peer sid 274*4882a593Smuzhiyunto that in ``@skb``:: 275*4882a593Smuzhiyun 276*4882a593Smuzhiyun @sk - pointer to sock structure. 277*4882a593Smuzhiyun @skb - pointer to skbuff of the COOKIE ACK packet. 278*4882a593Smuzhiyun 279*4882a593Smuzhiyun 280*4882a593SmuzhiyunPolicy Statements 281*4882a593Smuzhiyun----------------- 282*4882a593SmuzhiyunThe following class and permissions to support SCTP are available within the 283*4882a593Smuzhiyunkernel:: 284*4882a593Smuzhiyun 285*4882a593Smuzhiyun class sctp_socket inherits socket { node_bind } 286*4882a593Smuzhiyun 287*4882a593Smuzhiyunwhenever the following policy capability is enabled:: 288*4882a593Smuzhiyun 289*4882a593Smuzhiyun policycap extended_socket_class; 290*4882a593Smuzhiyun 291*4882a593SmuzhiyunSELinux SCTP support adds the ``name_connect`` permission for connecting 292*4882a593Smuzhiyunto a specific port type and the ``association`` permission that is explained 293*4882a593Smuzhiyunin the section below. 294*4882a593Smuzhiyun 295*4882a593SmuzhiyunIf userspace tools have been updated, SCTP will support the ``portcon`` 296*4882a593Smuzhiyunstatement as shown in the following example:: 297*4882a593Smuzhiyun 298*4882a593Smuzhiyun portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0 299*4882a593Smuzhiyun 300*4882a593Smuzhiyun 301*4882a593SmuzhiyunSCTP Peer Labeling 302*4882a593Smuzhiyun------------------ 303*4882a593SmuzhiyunAn SCTP socket will only have one peer label assigned to it. This will be 304*4882a593Smuzhiyunassigned during the establishment of the first association. Any further 305*4882a593Smuzhiyunassociations on this socket will have their packet peer label compared to 306*4882a593Smuzhiyunthe sockets peer label, and only if they are different will the 307*4882a593Smuzhiyun``association`` permission be validated. This is validated by checking the 308*4882a593Smuzhiyunsocket peer sid against the received packets peer sid to determine whether 309*4882a593Smuzhiyunthe association should be allowed or denied. 310*4882a593Smuzhiyun 311*4882a593SmuzhiyunNOTES: 312*4882a593Smuzhiyun 1) If peer labeling is not enabled, then the peer context will always be 313*4882a593Smuzhiyun ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy). 314*4882a593Smuzhiyun 315*4882a593Smuzhiyun 2) As SCTP can support more than one transport address per endpoint 316*4882a593Smuzhiyun (multi-homing) on a single socket, it is possible to configure policy 317*4882a593Smuzhiyun and NetLabel to provide different peer labels for each of these. As the 318*4882a593Smuzhiyun socket peer label is determined by the first associations transport 319*4882a593Smuzhiyun address, it is recommended that all peer labels are consistent. 320*4882a593Smuzhiyun 321*4882a593Smuzhiyun 3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer 322*4882a593Smuzhiyun context. 323*4882a593Smuzhiyun 324*4882a593Smuzhiyun 4) While not SCTP specific, be aware when using NetLabel that if a label 325*4882a593Smuzhiyun is assigned to a specific interface, and that interface 'goes down', 326*4882a593Smuzhiyun then the NetLabel service will remove the entry. Therefore ensure that 327*4882a593Smuzhiyun the network startup scripts call **netlabelctl**\(8) to set the required 328*4882a593Smuzhiyun label (see **netlabel-config**\(8) helper script for details). 329*4882a593Smuzhiyun 330*4882a593Smuzhiyun 5) The NetLabel SCTP peer labeling rules apply as discussed in the following 331*4882a593Smuzhiyun set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t. 332*4882a593Smuzhiyun 333*4882a593Smuzhiyun 6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)`` 334*4882a593Smuzhiyun CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)`` 335*4882a593Smuzhiyun 336*4882a593Smuzhiyun Note the following when testing CIPSO/CALIPSO: 337*4882a593Smuzhiyun a) CIPSO will send an ICMP packet if an SCTP packet cannot be 338*4882a593Smuzhiyun delivered because of an invalid label. 339*4882a593Smuzhiyun b) CALIPSO does not send an ICMP packet, just silently discards it. 340*4882a593Smuzhiyun 341*4882a593Smuzhiyun 7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been 342*4882a593Smuzhiyun implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)), 343*4882a593Smuzhiyun although the kernel supports SCTP/IPSEC. 344