linux/Documentation/security/SCTP.rst
<<
>>
Prefs
   1.. SPDX-License-Identifier: GPL-2.0
   2
   3====
   4SCTP
   5====
   6
   7SCTP LSM Support
   8================
   9
  10Security Hooks
  11--------------
  12
  13For security module support, three SCTP specific hooks have been implemented::
  14
  15    security_sctp_assoc_request()
  16    security_sctp_bind_connect()
  17    security_sctp_sk_clone()
  18
  19Also the following security hook has been utilised::
  20
  21    security_inet_conn_established()
  22
  23The usage of these hooks are described below with the SELinux implementation
  24described in the `SCTP SELinux Support`_ chapter.
  25
  26
  27security_sctp_assoc_request()
  28~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  29Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
  30security module. Returns 0 on success, error on failure.
  31::
  32
  33    @ep - pointer to sctp endpoint structure.
  34    @skb - pointer to skbuff of association packet.
  35
  36
  37security_sctp_bind_connect()
  38~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  39Passes one or more ipv4/ipv6 addresses to the security module for validation
  40based on the ``@optname`` that will result in either a bind or connect
  41service as shown in the permission check tables below.
  42Returns 0 on success, error on failure.
  43::
  44
  45    @sk      - Pointer to sock structure.
  46    @optname - Name of the option to validate.
  47    @address - One or more ipv4 / ipv6 addresses.
  48    @addrlen - The total length of address(s). This is calculated on each
  49               ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
  50               sizeof(struct sockaddr_in6).
  51
  52  ------------------------------------------------------------------
  53  |                     BIND Type Checks                           |
  54  |       @optname             |         @address contains         |
  55  |----------------------------|-----------------------------------|
  56  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
  57  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
  58  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
  59  ------------------------------------------------------------------
  60
  61  ------------------------------------------------------------------
  62  |                   CONNECT Type Checks                          |
  63  |       @optname             |         @address contains         |
  64  |----------------------------|-----------------------------------|
  65  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
  66  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
  67  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
  68  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
  69  ------------------------------------------------------------------
  70
  71A summary of the ``@optname`` entries is as follows::
  72
  73    SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
  74                             associated after (optionally) calling
  75                             bind(3).
  76                             sctp_bindx(3) adds a set of bind
  77                             addresses on a socket.
  78
  79    SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
  80                            addresses for reaching a peer
  81                            (multi-homed).
  82                            sctp_connectx(3) initiates a connection
  83                            on an SCTP socket using multiple
  84                            destination addresses.
  85
  86    SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
  87                            sendmsg(2) or sctp_sendmsg(3) on a new asociation.
  88
  89    SCTP_PRIMARY_ADDR     - Set local primary address.
  90
  91    SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
  92                                 association primary.
  93
  94    SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
  95    SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.
  96
  97
  98To support Dynamic Address Reconfiguration the following parameters must be
  99enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
 100
 101    /proc/sys/net/sctp/addip_enable
 102    /proc/sys/net/sctp/addip_noauth_enable
 103
 104then the following *_PARAM_*'s are sent to the peer in an
 105ASCONF chunk when the corresponding ``@optname``'s are present::
 106
 107          @optname                      ASCONF Parameter
 108         ----------                    ------------------
 109    SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
 110    SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY
 111
 112
 113security_sctp_sk_clone()
 114~~~~~~~~~~~~~~~~~~~~~~~~
 115Called whenever a new socket is created by **accept**\(2)
 116(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
 117calls **sctp_peeloff**\(3).
 118::
 119
 120    @ep - pointer to current sctp endpoint structure.
 121    @sk - pointer to current sock structure.
 122    @sk - pointer to new sock structure.
 123
 124
 125security_inet_conn_established()
 126~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 127Called when a COOKIE ACK is received::
 128
 129    @sk  - pointer to sock structure.
 130    @skb - pointer to skbuff of the COOKIE ACK packet.
 131
 132
 133Security Hooks used for Association Establishment
 134-------------------------------------------------
 135
 136The following diagram shows the use of ``security_sctp_bind_connect()``,
 137``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
 138establishing an association.
 139::
 140
 141      SCTP endpoint "A"                                SCTP endpoint "Z"
 142      =================                                =================
 143    sctp_sf_do_prm_asoc()
 144 Association setup can be initiated
 145 by a connect(2), sctp_connectx(3),
 146 sendmsg(2) or sctp_sendmsg(3).
 147 These will result in a call to
 148 security_sctp_bind_connect() to
 149 initiate an association to
 150 SCTP peer endpoint "Z".
 151         INIT --------------------------------------------->
 152                                                   sctp_sf_do_5_1B_init()
 153                                                 Respond to an INIT chunk.
 154                                             SCTP peer endpoint "A" is
 155                                             asking for an association. Call
 156                                             security_sctp_assoc_request()
 157                                             to set the peer label if first
 158                                             association.
 159                                             If not first association, check
 160                                             whether allowed, IF so send:
 161          <----------------------------------------------- INIT ACK
 162          |                                  ELSE audit event and silently
 163          |                                       discard the packet.
 164          |
 165    COOKIE ECHO ------------------------------------------>
 166                                                          |
 167                                                          |
 168                                                          |
 169          <------------------------------------------- COOKIE ACK
 170          |                                               |
 171    sctp_sf_do_5_1E_ca                                    |
 172 Call security_inet_conn_established()                    |
 173 to set the peer label.                                   |
 174          |                                               |
 175          |                               If SCTP_SOCKET_TCP or peeled off
 176          |                               socket security_sctp_sk_clone() is
 177          |                               called to clone the new socket.
 178          |                                               |
 179      ESTABLISHED                                    ESTABLISHED
 180          |                                               |
 181    ------------------------------------------------------------------
 182    |                     Association Established                    |
 183    ------------------------------------------------------------------
 184
 185
 186SCTP SELinux Support
 187====================
 188
 189Security Hooks
 190--------------
 191
 192The `SCTP LSM Support`_ chapter above describes the following SCTP security
 193hooks with the SELinux specifics expanded below::
 194
 195    security_sctp_assoc_request()
 196    security_sctp_bind_connect()
 197    security_sctp_sk_clone()
 198    security_inet_conn_established()
 199
 200
 201security_sctp_assoc_request()
 202~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 203Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
 204security module. Returns 0 on success, error on failure.
 205::
 206
 207    @ep - pointer to sctp endpoint structure.
 208    @skb - pointer to skbuff of association packet.
 209
 210The security module performs the following operations:
 211     IF this is the first association on ``@ep->base.sk``, then set the peer
 212     sid to that in ``@skb``. This will ensure there is only one peer sid
 213     assigned to ``@ep->base.sk`` that may support multiple associations.
 214
 215     ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
 216     to determine whether the association should be allowed or denied.
 217
 218     Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
 219     MLS portion taken from ``@skb peer sid``. This will be used by SCTP
 220     TCP style sockets and peeled off connections as they cause a new socket
 221     to be generated.
 222
 223     If IP security options are configured (CIPSO/CALIPSO), then the ip
 224     options are set on the socket.
 225
 226
 227security_sctp_bind_connect()
 228~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 229Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
 230as follows::
 231
 232  ------------------------------------------------------------------
 233  |                   BIND Permission Checks                       |
 234  |       @optname             |         @address contains         |
 235  |----------------------------|-----------------------------------|
 236  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
 237  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
 238  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
 239  ------------------------------------------------------------------
 240
 241  ------------------------------------------------------------------
 242  |                 CONNECT Permission Checks                      |
 243  |       @optname             |         @address contains         |
 244  |----------------------------|-----------------------------------|
 245  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
 246  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
 247  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
 248  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
 249  ------------------------------------------------------------------
 250
 251
 252`SCTP LSM Support`_ gives a summary of the ``@optname``
 253entries and also describes ASCONF chunk processing when Dynamic Address
 254Reconfiguration is enabled.
 255
 256
 257security_sctp_sk_clone()
 258~~~~~~~~~~~~~~~~~~~~~~~~
 259Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
 260socket) or when a socket is 'peeled off' e.g userspace calls
 261**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
 262sockets sid and peer sid to that contained in the ``@ep sid`` and
 263``@ep peer sid`` respectively.
 264::
 265
 266    @ep - pointer to current sctp endpoint structure.
 267    @sk - pointer to current sock structure.
 268    @sk - pointer to new sock structure.
 269
 270
 271security_inet_conn_established()
 272~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 273Called when a COOKIE ACK is received where it sets the connection's peer sid
 274to that in ``@skb``::
 275
 276    @sk  - pointer to sock structure.
 277    @skb - pointer to skbuff of the COOKIE ACK packet.
 278
 279
 280Policy Statements
 281-----------------
 282The following class and permissions to support SCTP are available within the
 283kernel::
 284
 285    class sctp_socket inherits socket { node_bind }
 286
 287whenever the following policy capability is enabled::
 288
 289    policycap extended_socket_class;
 290
 291SELinux SCTP support adds the ``name_connect`` permission for connecting
 292to a specific port type and the ``association`` permission that is explained
 293in the section below.
 294
 295If userspace tools have been updated, SCTP will support the ``portcon``
 296statement as shown in the following example::
 297
 298    portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
 299
 300
 301SCTP Peer Labeling
 302------------------
 303An SCTP socket will only have one peer label assigned to it. This will be
 304assigned during the establishment of the first association. Any further
 305associations on this socket will have their packet peer label compared to
 306the sockets peer label, and only if they are different will the
 307``association`` permission be validated. This is validated by checking the
 308socket peer sid against the received packets peer sid to determine whether
 309the association should be allowed or denied.
 310
 311NOTES:
 312   1) If peer labeling is not enabled, then the peer context will always be
 313      ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
 314
 315   2) As SCTP can support more than one transport address per endpoint
 316      (multi-homing) on a single socket, it is possible to configure policy
 317      and NetLabel to provide different peer labels for each of these. As the
 318      socket peer label is determined by the first associations transport
 319      address, it is recommended that all peer labels are consistent.
 320
 321   3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
 322      context.
 323
 324   4) While not SCTP specific, be aware when using NetLabel that if a label
 325      is assigned to a specific interface, and that interface 'goes down',
 326      then the NetLabel service will remove the entry. Therefore ensure that
 327      the network startup scripts call **netlabelctl**\(8) to set the required
 328      label (see **netlabel-config**\(8) helper script for details).
 329
 330   5) The NetLabel SCTP peer labeling rules apply as discussed in the following
 331      set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.
 332
 333   6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
 334      CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``
 335
 336      Note the following when testing CIPSO/CALIPSO:
 337         a) CIPSO will send an ICMP packet if an SCTP packet cannot be
 338            delivered because of an invalid label.
 339         b) CALIPSO does not send an ICMP packet, just silently discards it.
 340
 341   7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
 342      implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
 343      although the kernel supports SCTP/IPSEC.
 344