2 files changed, 61 insertions, 0 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 7161d8e7ee79..84c0b927ea85 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -906,6 +906,33 @@
 *      associated with the TUN device's security structure.
 *      @security pointer to the TUN devices's security structure.
 *
+ * Security hooks for SCTP
+ *
+ * @sctp_assoc_request:
+ *      Passes the @ep and @chunk->skb of the association INIT packet to
+ *      the security module.
+ *      @ep pointer to sctp endpoint structure.
+ *      @skb pointer to skbuff of association packet.
+ *      Return 0 on success, error on failure.
+ * @sctp_bind_connect:
+ *      Validiate permissions required for each address associated with sock
+ *      @sk. Depending on @optname, the addresses will be treated as either
+ *      for a connect or bind service. The @addrlen is calculated on each
+ *      ipv4 and ipv6 address using sizeof(struct sockaddr_in) or
+ *      sizeof(struct sockaddr_in6).
+ *      @sk pointer to sock structure.
+ *      @optname name of the option to validate.
+ *      @address list containing one or more ipv4/ipv6 addresses.
+ *      @addrlen total length of address(s).
+ *      Return 0 on success, error on failure.
+ * @sctp_sk_clone:
+ *      Called whenever a new socket is created by accept(2) (i.e. a TCP
+ *      style socket) or when a socket is 'peeled off' e.g userspace
+ *      calls sctp_peeloff(3).
+ *      @ep pointer to current sctp endpoint structure.
+ *      @sk pointer to current sock structure.
+ *      @sk pointer to new sock structure.
+ *
 * Security hooks for Infiniband
 *
 * @ib_pkey_access:
@@ -1665,6 +1692,12 @@ union security_list_options {
        int (*tun_dev_attach_queue)(void *security);
        int (*tun_dev_attach)(struct sock *sk, void *security);
        int (*tun_dev_open)(void *security);
+        int (*sctp_assoc_request)(struct sctp_endpoint *ep,
+                                  struct sk_buff *skb);
+        int (*sctp_bind_connect)(struct sock *sk, int optname,
+                                 struct sockaddr *address, int addrlen);
+        void (*sctp_sk_clone)(struct sctp_endpoint *ep, struct sock *sk,
+                              struct sock *newsk);
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_INFINIBAND
@@ -1914,6 +1947,9 @@ struct security_hook_heads {
        struct list_head tun_dev_attach_queue;
        struct list_head tun_dev_attach;
        struct list_head tun_dev_open;
+        struct list_head sctp_assoc_request;
+        struct list_head sctp_bind_connect;
+        struct list_head sctp_sk_clone;
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_INFINIBAND
        struct list_head ib_pkey_access;
diff --git a/include/linux/security.h b/include/linux/security.h
index 73f1ef625d40..2ff5f5777a53 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -115,6 +115,7 @@ struct xfrm_policy;
 struct xfrm_state;
 struct xfrm_user_sec_ctx;
 struct seq_file;
+struct sctp_endpoint;
 #ifdef CONFIG_MMU
 extern unsigned long mmap_min_addr;
@@ -1229,6 +1230,11 @@ int security_tun_dev_create(void);
 int security_tun_dev_attach_queue(void *security);
 int security_tun_dev_attach(struct sock *sk, void *security);
 int security_tun_dev_open(void *security);
+int security_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb);
+int security_sctp_bind_connect(struct sock *sk, int optname,
+                               struct sockaddr *address, int addrlen);
+void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
+                            struct sock *newsk);
 #else   /* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct sock *sock,
@@ -1421,6 +1427,25 @@ static inline int security_tun_dev_open(void *security)
 {
        return 0;
 }
+static inline int security_sctp_assoc_request(struct sctp_endpoint *ep,
+                                              struct sk_buff *skb)
+{
+        return 0;
+}
+static inline int security_sctp_bind_connect(struct sock *sk, int optname,
+                                             struct sockaddr *address,
+                                             int addrlen)
+{
+        return 0;
+}
+static inline void security_sctp_sk_clone(struct sctp_endpoint *ep,
+                                          struct sock *sk,
+                                          struct sock *newsk)
+{
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_INFINIBAND

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7161d8e7ee79..84c0b927ea85 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h
@@ -906,6 +906,33 @@
906	* associated with the TUN device's security structure.	906	* associated with the TUN device's security structure.
907	* @security pointer to the TUN devices's security structure.	907	* @security pointer to the TUN devices's security structure.
908	*	908	*
		909	* Security hooks for SCTP
		910	*
		911	* @sctp_assoc_request:
		912	* Passes the @ep and @chunk->skb of the association INIT packet to
		913	* the security module.
		914	* @ep pointer to sctp endpoint structure.
		915	* @skb pointer to skbuff of association packet.
		916	* Return 0 on success, error on failure.
		917	* @sctp_bind_connect:
		918	* Validiate permissions required for each address associated with sock
		919	* @sk. Depending on @optname, the addresses will be treated as either
		920	* for a connect or bind service. The @addrlen is calculated on each
		921	* ipv4 and ipv6 address using sizeof(struct sockaddr_in) or
		922	* sizeof(struct sockaddr_in6).
		923	* @sk pointer to sock structure.
		924	* @optname name of the option to validate.
		925	* @address list containing one or more ipv4/ipv6 addresses.
		926	* @addrlen total length of address(s).
		927	* Return 0 on success, error on failure.
		928	* @sctp_sk_clone:
		929	* Called whenever a new socket is created by accept(2) (i.e. a TCP
		930	* style socket) or when a socket is 'peeled off' e.g userspace
		931	* calls sctp_peeloff(3).
		932	* @ep pointer to current sctp endpoint structure.
		933	* @sk pointer to current sock structure.
		934	* @sk pointer to new sock structure.
		935	*
909	* Security hooks for Infiniband	936	* Security hooks for Infiniband
910	*	937	*
911	* @ib_pkey_access:	938	* @ib_pkey_access:
@@ -1665,6 +1692,12 @@ union security_list_options {
1665	int (tun_dev_attach_queue)(void security);	1692	int (tun_dev_attach_queue)(void security);
1666	int (tun_dev_attach)(struct sock sk, void *security);	1693	int (tun_dev_attach)(struct sock sk, void *security);
1667	int (tun_dev_open)(void security);	1694	int (tun_dev_open)(void security);
		1695	int (sctp_assoc_request)(struct sctp_endpoint ep,
		1696	struct sk_buff *skb);
		1697	int (sctp_bind_connect)(struct sock sk, int optname,
		1698	struct sockaddr *address, int addrlen);
		1699	void (sctp_sk_clone)(struct sctp_endpoint ep, struct sock *sk,
		1700	struct sock *newsk);
1668	#endif /* CONFIG_SECURITY_NETWORK */	1701	#endif /* CONFIG_SECURITY_NETWORK */
1669		1702
1670	#ifdef CONFIG_SECURITY_INFINIBAND	1703	#ifdef CONFIG_SECURITY_INFINIBAND
@@ -1914,6 +1947,9 @@ struct security_hook_heads {
1914	struct list_head tun_dev_attach_queue;	1947	struct list_head tun_dev_attach_queue;
1915	struct list_head tun_dev_attach;	1948	struct list_head tun_dev_attach;
1916	struct list_head tun_dev_open;	1949	struct list_head tun_dev_open;
		1950	struct list_head sctp_assoc_request;
		1951	struct list_head sctp_bind_connect;
		1952	struct list_head sctp_sk_clone;
1917	#endif /* CONFIG_SECURITY_NETWORK */	1953	#endif /* CONFIG_SECURITY_NETWORK */
1918	#ifdef CONFIG_SECURITY_INFINIBAND	1954	#ifdef CONFIG_SECURITY_INFINIBAND
1919	struct list_head ib_pkey_access;	1955	struct list_head ib_pkey_access;


diff --git a/include/linux/security.h b/include/linux/security.h index 73f1ef625d40..2ff5f5777a53 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -115,6 +115,7 @@ struct xfrm_policy;
115	struct xfrm_state;	115	struct xfrm_state;
116	struct xfrm_user_sec_ctx;	116	struct xfrm_user_sec_ctx;
117	struct seq_file;	117	struct seq_file;
		118	struct sctp_endpoint;
118		119
119	#ifdef CONFIG_MMU	120	#ifdef CONFIG_MMU
120	extern unsigned long mmap_min_addr;	121	extern unsigned long mmap_min_addr;
@@ -1229,6 +1230,11 @@ int security_tun_dev_create(void);
1229	int security_tun_dev_attach_queue(void *security);	1230	int security_tun_dev_attach_queue(void *security);
1230	int security_tun_dev_attach(struct sock sk, void security);	1231	int security_tun_dev_attach(struct sock sk, void security);
1231	int security_tun_dev_open(void *security);	1232	int security_tun_dev_open(void *security);
		1233	int security_sctp_assoc_request(struct sctp_endpoint ep, struct sk_buff skb);
		1234	int security_sctp_bind_connect(struct sock *sk, int optname,
		1235	struct sockaddr *address, int addrlen);
		1236	void security_sctp_sk_clone(struct sctp_endpoint ep, struct sock sk,
		1237	struct sock *newsk);
1232		1238
1233	#else /* CONFIG_SECURITY_NETWORK */	1239	#else /* CONFIG_SECURITY_NETWORK */
1234	static inline int security_unix_stream_connect(struct sock *sock,	1240	static inline int security_unix_stream_connect(struct sock *sock,
@@ -1421,6 +1427,25 @@ static inline int security_tun_dev_open(void *security)
1421	{	1427	{
1422	return 0;	1428	return 0;
1423	}	1429	}
		1430
		1431	static inline int security_sctp_assoc_request(struct sctp_endpoint *ep,
		1432	struct sk_buff *skb)
		1433	{
		1434	return 0;
		1435	}
		1436
		1437	static inline int security_sctp_bind_connect(struct sock *sk, int optname,
		1438	struct sockaddr *address,
		1439	int addrlen)
		1440	{
		1441	return 0;
		1442	}
		1443
		1444	static inline void security_sctp_sk_clone(struct sctp_endpoint *ep,
		1445	struct sock *sk,
		1446	struct sock *newsk)
		1447	{
		1448	}
1424	#endif /* CONFIG_SECURITY_NETWORK */	1449	#endif /* CONFIG_SECURITY_NETWORK */
1425		1450
1426	#ifdef CONFIG_SECURITY_INFINIBAND	1451	#ifdef CONFIG_SECURITY_INFINIBAND