security: Add support for SCTP security hooks

The SCTP security hooks are explained in: Documentation/security/LSM-sctp.rst Signed-off-by: Richard Haines <richard_c_haines@btinternet.com> Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Richard Haines <richard_c_haines@btinternet.com> 2018-02-13 15:53:21 -0500
committer: Paul Moore <paul@paul-moore.com> 2018-02-22 15:01:32 -0500
commit: 72e89f50084c6dbc58a00aeedf92c450dc1a8b1c (patch)
tree: 65c175daec4c170bcb389ed8b8b1a8ec9b9c85af /Documentation/security
parent: 213d7f94775322ba44e0bbb55ec6946e9de88cea (diff)
1 files changed, 175 insertions, 0 deletions
diff --git a/Documentation/security/LSM-sctp.rst b/Documentation/security/LSM-sctp.rst
new file mode 100644
index 000000000000..6e5a3925a860
--- /dev/null
+++ b/Documentation/security/LSM-sctp.rst
@@ -0,0 +1,175 @@
+SCTP LSM Support
+================
+For security module support, three SCTP specific hooks have been implemented::
+    security_sctp_assoc_request()
+    security_sctp_bind_connect()
+    security_sctp_sk_clone()
+Also the following security hook has been utilised::
+    security_inet_conn_established()
+The usage of these hooks are described below with the SELinux implementation
+described in ``Documentation/security/SELinux-sctp.rst``
+security_sctp_assoc_request()
+-----------------------------
+Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
+security module. Returns 0 on success, error on failure.
+::
+    @ep - pointer to sctp endpoint structure.
+    @skb - pointer to skbuff of association packet.
+security_sctp_bind_connect()
+-----------------------------
+Passes one or more ipv4/ipv6 addresses to the security module for validation
+based on the ``@optname`` that will result in either a bind or connect
+service as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+::
+    @sk      - Pointer to sock structure.
+    @optname - Name of the option to validate.
+    @address - One or more ipv4 / ipv6 addresses.
+    @addrlen - The total length of address(s). This is calculated on each
+               ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
+               sizeof(struct sockaddr_in6).
+  ------------------------------------------------------------------
+  |                     BIND Type Checks                           |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
+  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
+  ------------------------------------------------------------------
+  ------------------------------------------------------------------
+  |                   CONNECT Type Checks                          |
+  |       @optname             |         @address contains         |
+  |----------------------------|-----------------------------------|
+  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
+  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
+  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
+  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
+  ------------------------------------------------------------------
+A summary of the ``@optname`` entries is as follows::
+    SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
+                             associated after (optionally) calling
+                             bind(3).
+                             sctp_bindx(3) adds a set of bind
+                             addresses on a socket.
+    SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
+                            addresses for reaching a peer
+                            (multi-homed).
+                            sctp_connectx(3) initiates a connection
+                            on an SCTP socket using multiple
+                            destination addresses.
+    SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
+                            sendmsg(2) or sctp_sendmsg(3) on a new asociation.
+    SCTP_PRIMARY_ADDR     - Set local primary address.
+    SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
+                                 association primary.
+    SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
+    SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.
+To support Dynamic Address Reconfiguration the following parameters must be
+enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
+    /proc/sys/net/sctp/addip_enable
+    /proc/sys/net/sctp/addip_noauth_enable
+then the following *_PARAM_*'s are sent to the peer in an
+ASCONF chunk when the corresponding ``@optname``'s are present::
+          @optname                      ASCONF Parameter
+         ----------                    ------------------
+    SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
+    SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY
+security_sctp_sk_clone()
+-------------------------
+Called whenever a new socket is created by **accept**\(2)
+(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
+calls **sctp_peeloff**\(3).
+::
+    @ep - pointer to current sctp endpoint structure.
+    @sk - pointer to current sock structure.
+    @sk - pointer to new sock structure.
+security_inet_conn_established()
+---------------------------------
+Called when a COOKIE ACK is received::
+    @sk  - pointer to sock structure.
+    @skb - pointer to skbuff of the COOKIE ACK packet.
+Security Hooks used for Association Establishment
+=================================================
+The following diagram shows the use of ``security_sctp_bind_connect()``,
+``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
+establishing an association.
+::
+      SCTP endpoint "A"                                SCTP endpoint "Z"
+      =================                                =================
+    sctp_sf_do_prm_asoc()
+ Association setup can be initiated
+ by a connect(2), sctp_connectx(3),
+ sendmsg(2) or sctp_sendmsg(3).
+ These will result in a call to
+ security_sctp_bind_connect() to
+ initiate an association to
+ SCTP peer endpoint "Z".
+         INIT --------------------------------------------->
+                                                   sctp_sf_do_5_1B_init()
+                                                 Respond to an INIT chunk.
+                                             SCTP peer endpoint "A" is
+                                             asking for an association. Call
+                                             security_sctp_assoc_request()
+                                             to set the peer label if first
+                                             association.
+                                             If not first association, check
+                                             whether allowed, IF so send:
+          <----------------------------------------------- INIT ACK
+          |                                  ELSE audit event and silently
+          |                                       discard the packet.
+          |
+    COOKIE ECHO ------------------------------------------>
+                                                          |
+                                                          |
+                                                          |
+          <------------------------------------------- COOKIE ACK
+          |                                               |
+    sctp_sf_do_5_1E_ca                                    |
+ Call security_inet_conn_established()                    |
+ to set the peer label.                                   |
+          |                                               |
+          |                               If SCTP_SOCKET_TCP or peeled off
+          |                               socket security_sctp_sk_clone() is
+          |                               called to clone the new socket.
+          |                                               |
+      ESTABLISHED                                    ESTABLISHED
+          |                                               |
+    ------------------------------------------------------------------
+    |                     Association Established                    |
+    ------------------------------------------------------------------
author	Richard Haines <richard_c_haines@btinternet.com>	2018-02-13 15:53:21 -0500
committer	Paul Moore <paul@paul-moore.com>	2018-02-22 15:01:32 -0500
commit	72e89f50084c6dbc58a00aeedf92c450dc1a8b1c (patch)
tree	65c175daec4c170bcb389ed8b8b1a8ec9b9c85af /Documentation/security
parent	213d7f94775322ba44e0bbb55ec6946e9de88cea (diff)

diff --git a/Documentation/security/LSM-sctp.rst b/Documentation/security/LSM-sctp.rst new file mode 100644 index 000000000000..6e5a3925a860 --- /dev/null +++ b/Documentation/security/LSM-sctp.rst
@@ -0,0 +1,175 @@
	1	SCTP LSM Support
	2	================
	3
	4	For security module support, three SCTP specific hooks have been implemented::
	5
	6	security_sctp_assoc_request()
	7	security_sctp_bind_connect()
	8	security_sctp_sk_clone()
	9
	10	Also the following security hook has been utilised::
	11
	12	security_inet_conn_established()
	13
	14	The usage of these hooks are described below with the SELinux implementation
	15	described in ``Documentation/security/SELinux-sctp.rst``
	16
	17
	18	security_sctp_assoc_request()
	19	-----------------------------
	20	Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
	21	security module. Returns 0 on success, error on failure.
	22	::
	23
	24	@ep - pointer to sctp endpoint structure.
	25	@skb - pointer to skbuff of association packet.
	26
	27
	28	security_sctp_bind_connect()
	29	-----------------------------
	30	Passes one or more ipv4/ipv6 addresses to the security module for validation
	31	based on the ``@optname`` that will result in either a bind or connect
	32	service as shown in the permission check tables below.
	33	Returns 0 on success, error on failure.
	34	::
	35
	36	@sk - Pointer to sock structure.
	37	@optname - Name of the option to validate.
	38	@address - One or more ipv4 / ipv6 addresses.
	39	@addrlen - The total length of address(s). This is calculated on each
	40	ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
	41	sizeof(struct sockaddr_in6).
	42
	43	------------------------------------------------------------------
	44	\| BIND Type Checks \|
	45	\| @optname \| @address contains \|
	46	\|----------------------------\|-----------------------------------\|
	47	\| SCTP_SOCKOPT_BINDX_ADD \| One or more ipv4 / ipv6 addresses \|
	48	\| SCTP_PRIMARY_ADDR \| Single ipv4 or ipv6 address \|
	49	\| SCTP_SET_PEER_PRIMARY_ADDR \| Single ipv4 or ipv6 address \|
	50	------------------------------------------------------------------
	51
	52	------------------------------------------------------------------
	53	\| CONNECT Type Checks \|
	54	\| @optname \| @address contains \|
	55	\|----------------------------\|-----------------------------------\|
	56	\| SCTP_SOCKOPT_CONNECTX \| One or more ipv4 / ipv6 addresses \|
	57	\| SCTP_PARAM_ADD_IP \| One or more ipv4 / ipv6 addresses \|
	58	\| SCTP_SENDMSG_CONNECT \| Single ipv4 or ipv6 address \|
	59	\| SCTP_PARAM_SET_PRIMARY \| Single ipv4 or ipv6 address \|
	60	------------------------------------------------------------------
	61
	62	A summary of the ``@optname`` entries is as follows::
	63
	64	SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
	65	associated after (optionally) calling
	66	bind(3).
	67	sctp_bindx(3) adds a set of bind
	68	addresses on a socket.
	69
	70	SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
	71	addresses for reaching a peer
	72	(multi-homed).
	73	sctp_connectx(3) initiates a connection
	74	on an SCTP socket using multiple
	75	destination addresses.
	76
	77	SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a
	78	sendmsg(2) or sctp_sendmsg(3) on a new asociation.
	79
	80	SCTP_PRIMARY_ADDR - Set local primary address.
	81
	82	SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
	83	association primary.
	84
	85	SCTP_PARAM_ADD_IP - These are used when Dynamic Address
	86	SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
	87
	88
	89	To support Dynamic Address Reconfiguration the following parameters must be
	90	enabled on both endpoints (or use the appropriate setsockopt\(2))::
	91
	92	/proc/sys/net/sctp/addip_enable
	93	/proc/sys/net/sctp/addip_noauth_enable
	94
	95	then the following _PARAM_'s are sent to the peer in an
	96	ASCONF chunk when the corresponding ``@optname``'s are present::
	97
	98	@optname ASCONF Parameter
	99	---------- ------------------
	100	SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP
	101	SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
	102
	103
	104	security_sctp_sk_clone()
	105	-------------------------
	106	Called whenever a new socket is created by accept\(2)
	107	(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
	108	calls sctp_peeloff\(3).
	109	::
	110
	111	@ep - pointer to current sctp endpoint structure.
	112	@sk - pointer to current sock structure.
	113	@sk - pointer to new sock structure.
	114
	115
	116	security_inet_conn_established()
	117	---------------------------------
	118	Called when a COOKIE ACK is received::
	119
	120	@sk - pointer to sock structure.
	121	@skb - pointer to skbuff of the COOKIE ACK packet.
	122
	123
	124	Security Hooks used for Association Establishment
	125	=================================================
	126	The following diagram shows the use of ``security_sctp_bind_connect()``,
	127	``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
	128	establishing an association.
	129	::
	130
	131	SCTP endpoint "A" SCTP endpoint "Z"
	132	================= =================
	133	sctp_sf_do_prm_asoc()
	134	Association setup can be initiated
	135	by a connect(2), sctp_connectx(3),
	136	sendmsg(2) or sctp_sendmsg(3).
	137	These will result in a call to
	138	security_sctp_bind_connect() to
	139	initiate an association to
	140	SCTP peer endpoint "Z".
	141	INIT --------------------------------------------->
	142	sctp_sf_do_5_1B_init()
	143	Respond to an INIT chunk.
	144	SCTP peer endpoint "A" is
	145	asking for an association. Call
	146	security_sctp_assoc_request()
	147	to set the peer label if first
	148	association.
	149	If not first association, check
	150	whether allowed, IF so send:
	151	<----------------------------------------------- INIT ACK
	152	\| ELSE audit event and silently
	153	\| discard the packet.
	154	\|
	155	COOKIE ECHO ------------------------------------------>
	156	\|
	157	\|
	158	\|
	159	<------------------------------------------- COOKIE ACK
	160	\| \|
	161	sctp_sf_do_5_1E_ca \|
	162	Call security_inet_conn_established() \|
	163	to set the peer label. \|
	164	\| \|
	165	\| If SCTP_SOCKET_TCP or peeled off
	166	\| socket security_sctp_sk_clone() is
	167	\| called to clone the new socket.
	168	\| \|
	169	ESTABLISHED ESTABLISHED
	170	\| \|
	171	------------------------------------------------------------------
	172	\| Association Established \|
	173	------------------------------------------------------------------
	174
	175