forked from Qortal/Brooklyn
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
343 lines
14 KiB
343 lines
14 KiB
.. SPDX-License-Identifier: GPL-2.0 |
|
|
|
==== |
|
SCTP |
|
==== |
|
|
|
SCTP LSM Support |
|
================ |
|
|
|
Security Hooks |
|
-------------- |
|
|
|
For security module support, three SCTP specific hooks have been implemented:: |
|
|
|
security_sctp_assoc_request() |
|
security_sctp_bind_connect() |
|
security_sctp_sk_clone() |
|
|
|
Also the following security hook has been utilised:: |
|
|
|
security_inet_conn_established() |
|
|
|
The usage of these hooks are described below with the SELinux implementation |
|
described in the `SCTP SELinux Support`_ chapter. |
|
|
|
|
|
security_sctp_assoc_request() |
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the |
|
security module. Returns 0 on success, error on failure. |
|
:: |
|
|
|
@ep - pointer to sctp endpoint structure. |
|
@skb - pointer to skbuff of association packet. |
|
|
|
|
|
security_sctp_bind_connect() |
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
Passes one or more ipv4/ipv6 addresses to the security module for validation |
|
based on the ``@optname`` that will result in either a bind or connect |
|
service as shown in the permission check tables below. |
|
Returns 0 on success, error on failure. |
|
:: |
|
|
|
@sk - Pointer to sock structure. |
|
@optname - Name of the option to validate. |
|
@address - One or more ipv4 / ipv6 addresses. |
|
@addrlen - The total length of address(s). This is calculated on each |
|
ipv4 or ipv6 address using sizeof(struct sockaddr_in) or |
|
sizeof(struct sockaddr_in6). |
|
|
|
------------------------------------------------------------------ |
|
| BIND Type Checks | |
|
| @optname | @address contains | |
|
|----------------------------|-----------------------------------| |
|
| SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | |
|
| SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | |
|
| SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | |
|
------------------------------------------------------------------ |
|
|
|
------------------------------------------------------------------ |
|
| CONNECT Type Checks | |
|
| @optname | @address contains | |
|
|----------------------------|-----------------------------------| |
|
| SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | |
|
| SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | |
|
| SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | |
|
| SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | |
|
------------------------------------------------------------------ |
|
|
|
A summary of the ``@optname`` entries is as follows:: |
|
|
|
SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be |
|
associated after (optionally) calling |
|
bind(3). |
|
sctp_bindx(3) adds a set of bind |
|
addresses on a socket. |
|
|
|
SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple |
|
addresses for reaching a peer |
|
(multi-homed). |
|
sctp_connectx(3) initiates a connection |
|
on an SCTP socket using multiple |
|
destination addresses. |
|
|
|
SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a |
|
sendmsg(2) or sctp_sendmsg(3) on a new asociation. |
|
|
|
SCTP_PRIMARY_ADDR - Set local primary address. |
|
|
|
SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as |
|
association primary. |
|
|
|
SCTP_PARAM_ADD_IP - These are used when Dynamic Address |
|
SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below. |
|
|
|
|
|
To support Dynamic Address Reconfiguration the following parameters must be |
|
enabled on both endpoints (or use the appropriate **setsockopt**\(2)):: |
|
|
|
/proc/sys/net/sctp/addip_enable |
|
/proc/sys/net/sctp/addip_noauth_enable |
|
|
|
then the following *_PARAM_*'s are sent to the peer in an |
|
ASCONF chunk when the corresponding ``@optname``'s are present:: |
|
|
|
@optname ASCONF Parameter |
|
---------- ------------------ |
|
SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP |
|
SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY |
|
|
|
|
|
security_sctp_sk_clone() |
|
~~~~~~~~~~~~~~~~~~~~~~~~ |
|
Called whenever a new socket is created by **accept**\(2) |
|
(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace |
|
calls **sctp_peeloff**\(3). |
|
:: |
|
|
|
@ep - pointer to current sctp endpoint structure. |
|
@sk - pointer to current sock structure. |
|
@sk - pointer to new sock structure. |
|
|
|
|
|
security_inet_conn_established() |
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
Called when a COOKIE ACK is received:: |
|
|
|
@sk - pointer to sock structure. |
|
@skb - pointer to skbuff of the COOKIE ACK packet. |
|
|
|
|
|
Security Hooks used for Association Establishment |
|
------------------------------------------------- |
|
|
|
The following diagram shows the use of ``security_sctp_bind_connect()``, |
|
``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when |
|
establishing an association. |
|
:: |
|
|
|
SCTP endpoint "A" SCTP endpoint "Z" |
|
================= ================= |
|
sctp_sf_do_prm_asoc() |
|
Association setup can be initiated |
|
by a connect(2), sctp_connectx(3), |
|
sendmsg(2) or sctp_sendmsg(3). |
|
These will result in a call to |
|
security_sctp_bind_connect() to |
|
initiate an association to |
|
SCTP peer endpoint "Z". |
|
INIT ---------------------------------------------> |
|
sctp_sf_do_5_1B_init() |
|
Respond to an INIT chunk. |
|
SCTP peer endpoint "A" is |
|
asking for an association. Call |
|
security_sctp_assoc_request() |
|
to set the peer label if first |
|
association. |
|
If not first association, check |
|
whether allowed, IF so send: |
|
<----------------------------------------------- INIT ACK |
|
| ELSE audit event and silently |
|
| discard the packet. |
|
| |
|
COOKIE ECHO ------------------------------------------> |
|
| |
|
| |
|
| |
|
<------------------------------------------- COOKIE ACK |
|
| | |
|
sctp_sf_do_5_1E_ca | |
|
Call security_inet_conn_established() | |
|
to set the peer label. | |
|
| | |
|
| If SCTP_SOCKET_TCP or peeled off |
|
| socket security_sctp_sk_clone() is |
|
| called to clone the new socket. |
|
| | |
|
ESTABLISHED ESTABLISHED |
|
| | |
|
------------------------------------------------------------------ |
|
| Association Established | |
|
------------------------------------------------------------------ |
|
|
|
|
|
SCTP SELinux Support |
|
==================== |
|
|
|
Security Hooks |
|
-------------- |
|
|
|
The `SCTP LSM Support`_ chapter above describes the following SCTP security |
|
hooks with the SELinux specifics expanded below:: |
|
|
|
security_sctp_assoc_request() |
|
security_sctp_bind_connect() |
|
security_sctp_sk_clone() |
|
security_inet_conn_established() |
|
|
|
|
|
security_sctp_assoc_request() |
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the |
|
security module. Returns 0 on success, error on failure. |
|
:: |
|
|
|
@ep - pointer to sctp endpoint structure. |
|
@skb - pointer to skbuff of association packet. |
|
|
|
The security module performs the following operations: |
|
IF this is the first association on ``@ep->base.sk``, then set the peer |
|
sid to that in ``@skb``. This will ensure there is only one peer sid |
|
assigned to ``@ep->base.sk`` that may support multiple associations. |
|
|
|
ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid`` |
|
to determine whether the association should be allowed or denied. |
|
|
|
Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with |
|
MLS portion taken from ``@skb peer sid``. This will be used by SCTP |
|
TCP style sockets and peeled off connections as they cause a new socket |
|
to be generated. |
|
|
|
If IP security options are configured (CIPSO/CALIPSO), then the ip |
|
options are set on the socket. |
|
|
|
|
|
security_sctp_bind_connect() |
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
Checks permissions required for ipv4/ipv6 addresses based on the ``@optname`` |
|
as follows:: |
|
|
|
------------------------------------------------------------------ |
|
| BIND Permission Checks | |
|
| @optname | @address contains | |
|
|----------------------------|-----------------------------------| |
|
| SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | |
|
| SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | |
|
| SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | |
|
------------------------------------------------------------------ |
|
|
|
------------------------------------------------------------------ |
|
| CONNECT Permission Checks | |
|
| @optname | @address contains | |
|
|----------------------------|-----------------------------------| |
|
| SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | |
|
| SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | |
|
| SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | |
|
| SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | |
|
------------------------------------------------------------------ |
|
|
|
|
|
`SCTP LSM Support`_ gives a summary of the ``@optname`` |
|
entries and also describes ASCONF chunk processing when Dynamic Address |
|
Reconfiguration is enabled. |
|
|
|
|
|
security_sctp_sk_clone() |
|
~~~~~~~~~~~~~~~~~~~~~~~~ |
|
Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style |
|
socket) or when a socket is 'peeled off' e.g userspace calls |
|
**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new |
|
sockets sid and peer sid to that contained in the ``@ep sid`` and |
|
``@ep peer sid`` respectively. |
|
:: |
|
|
|
@ep - pointer to current sctp endpoint structure. |
|
@sk - pointer to current sock structure. |
|
@sk - pointer to new sock structure. |
|
|
|
|
|
security_inet_conn_established() |
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
|
Called when a COOKIE ACK is received where it sets the connection's peer sid |
|
to that in ``@skb``:: |
|
|
|
@sk - pointer to sock structure. |
|
@skb - pointer to skbuff of the COOKIE ACK packet. |
|
|
|
|
|
Policy Statements |
|
----------------- |
|
The following class and permissions to support SCTP are available within the |
|
kernel:: |
|
|
|
class sctp_socket inherits socket { node_bind } |
|
|
|
whenever the following policy capability is enabled:: |
|
|
|
policycap extended_socket_class; |
|
|
|
SELinux SCTP support adds the ``name_connect`` permission for connecting |
|
to a specific port type and the ``association`` permission that is explained |
|
in the section below. |
|
|
|
If userspace tools have been updated, SCTP will support the ``portcon`` |
|
statement as shown in the following example:: |
|
|
|
portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0 |
|
|
|
|
|
SCTP Peer Labeling |
|
------------------ |
|
An SCTP socket will only have one peer label assigned to it. This will be |
|
assigned during the establishment of the first association. Any further |
|
associations on this socket will have their packet peer label compared to |
|
the sockets peer label, and only if they are different will the |
|
``association`` permission be validated. This is validated by checking the |
|
socket peer sid against the received packets peer sid to determine whether |
|
the association should be allowed or denied. |
|
|
|
NOTES: |
|
1) If peer labeling is not enabled, then the peer context will always be |
|
``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy). |
|
|
|
2) As SCTP can support more than one transport address per endpoint |
|
(multi-homing) on a single socket, it is possible to configure policy |
|
and NetLabel to provide different peer labels for each of these. As the |
|
socket peer label is determined by the first associations transport |
|
address, it is recommended that all peer labels are consistent. |
|
|
|
3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer |
|
context. |
|
|
|
4) While not SCTP specific, be aware when using NetLabel that if a label |
|
is assigned to a specific interface, and that interface 'goes down', |
|
then the NetLabel service will remove the entry. Therefore ensure that |
|
the network startup scripts call **netlabelctl**\(8) to set the required |
|
label (see **netlabel-config**\(8) helper script for details). |
|
|
|
5) The NetLabel SCTP peer labeling rules apply as discussed in the following |
|
set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t. |
|
|
|
6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)`` |
|
CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)`` |
|
|
|
Note the following when testing CIPSO/CALIPSO: |
|
a) CIPSO will send an ICMP packet if an SCTP packet cannot be |
|
delivered because of an invalid label. |
|
b) CALIPSO does not send an ICMP packet, just silently discards it. |
|
|
|
7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been |
|
implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)), |
|
although the kernel supports SCTP/IPSEC.
|
|
|