[mirror_ubuntu-kernels.git] / Documentation / security / SCTP.rst

.. SPDX-License-Identifier: GPL-2.0

====
SCTP
====

SCTP LSM Support
================

Security Hooks
--------------

For security module support, three SCTP specific hooks have been implemented::

    security_sctp_assoc_request()
    security_sctp_bind_connect()
    security_sctp_sk_clone()

Also the following security hook has been utilised::

    security_inet_conn_established()

The usage of these hooks are described below with the SELinux implementation
described in the `SCTP SELinux Support`_ chapter.


security_sctp_assoc_request()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
security module. Returns 0 on success, error on failure.
::

    @ep - pointer to sctp endpoint structure.
    @skb - pointer to skbuff of association packet.


security_sctp_bind_connect()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Passes one or more ipv4/ipv6 addresses to the security module for validation
based on the ``@optname`` that will result in either a bind or connect
service as shown in the permission check tables below.
Returns 0 on success, error on failure.
::

    @sk      - Pointer to sock structure.
    @optname - Name of the option to validate.
    @address - One or more ipv4 / ipv6 addresses.
    @addrlen - The total length of address(s). This is calculated on each
               ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
               sizeof(struct sockaddr_in6).

  ------------------------------------------------------------------
  |                     BIND Type Checks                           |
  |       @optname             |         @address contains         |
  |----------------------------|-----------------------------------|
  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
  ------------------------------------------------------------------

  ------------------------------------------------------------------
  |                   CONNECT Type Checks                          |
  |       @optname             |         @address contains         |
  |----------------------------|-----------------------------------|
  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
  ------------------------------------------------------------------

A summary of the ``@optname`` entries is as follows::

    SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
                             associated after (optionally) calling
                             bind(3).
                             sctp_bindx(3) adds a set of bind
                             addresses on a socket.

    SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
                            addresses for reaching a peer
                            (multi-homed).
                            sctp_connectx(3) initiates a connection
                            on an SCTP socket using multiple
                            destination addresses.

    SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
                            sendmsg(2) or sctp_sendmsg(3) on a new asociation.

    SCTP_PRIMARY_ADDR     - Set local primary address.

    SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
                                 association primary.

    SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
    SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.


To support Dynamic Address Reconfiguration the following parameters must be
enabled on both endpoints (or use the appropriate **setsockopt**\(2))::

    /proc/sys/net/sctp/addip_enable
    /proc/sys/net/sctp/addip_noauth_enable

then the following *_PARAM_*'s are sent to the peer in an
ASCONF chunk when the corresponding ``@optname``'s are present::

          @optname                      ASCONF Parameter
         ----------                    ------------------
    SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
    SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY


security_sctp_sk_clone()
~~~~~~~~~~~~~~~~~~~~~~~~
Called whenever a new socket is created by **accept**\(2)
(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
calls **sctp_peeloff**\(3).
::

    @ep - pointer to current sctp endpoint structure.
    @sk - pointer to current sock structure.
    @sk - pointer to new sock structure.


security_inet_conn_established()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Called when a COOKIE ACK is received::

    @sk  - pointer to sock structure.
    @skb - pointer to skbuff of the COOKIE ACK packet.


Security Hooks used for Association Establishment
-------------------------------------------------

The following diagram shows the use of ``security_sctp_bind_connect()``,
``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
establishing an association.
::

      SCTP endpoint "A"                                SCTP endpoint "Z"
      =================                                =================
    sctp_sf_do_prm_asoc()
 Association setup can be initiated
 by a connect(2), sctp_connectx(3),
 sendmsg(2) or sctp_sendmsg(3).
 These will result in a call to
 security_sctp_bind_connect() to
 initiate an association to
 SCTP peer endpoint "Z".
         INIT --------------------------------------------->
                                                   sctp_sf_do_5_1B_init()
                                                 Respond to an INIT chunk.
                                             SCTP peer endpoint "A" is
                                             asking for an association. Call
                                             security_sctp_assoc_request()
                                             to set the peer label if first
                                             association.
                                             If not first association, check
                                             whether allowed, IF so send:
          <----------------------------------------------- INIT ACK
          |                                  ELSE audit event and silently
          |                                       discard the packet.
          |
    COOKIE ECHO ------------------------------------------>
                                                          |
                                                          |
                                                          |
          <------------------------------------------- COOKIE ACK
          |                                               |
    sctp_sf_do_5_1E_ca                                    |
 Call security_inet_conn_established()                    |
 to set the peer label.                                   |
          |                                               |
          |                               If SCTP_SOCKET_TCP or peeled off
          |                               socket security_sctp_sk_clone() is
          |                               called to clone the new socket.
          |                                               |
      ESTABLISHED                                    ESTABLISHED
          |                                               |
    ------------------------------------------------------------------
    |                     Association Established                    |
    ------------------------------------------------------------------


SCTP SELinux Support
====================

Security Hooks
--------------

The `SCTP LSM Support`_ chapter above describes the following SCTP security
hooks with the SELinux specifics expanded below::

    security_sctp_assoc_request()
    security_sctp_bind_connect()
    security_sctp_sk_clone()
    security_inet_conn_established()


security_sctp_assoc_request()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
security module. Returns 0 on success, error on failure.
::

    @ep - pointer to sctp endpoint structure.
    @skb - pointer to skbuff of association packet.

The security module performs the following operations:
     IF this is the first association on ``@ep->base.sk``, then set the peer
     sid to that in ``@skb``. This will ensure there is only one peer sid
     assigned to ``@ep->base.sk`` that may support multiple associations.

     ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
     to determine whether the association should be allowed or denied.

     Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
     MLS portion taken from ``@skb peer sid``. This will be used by SCTP
     TCP style sockets and peeled off connections as they cause a new socket
     to be generated.

     If IP security options are configured (CIPSO/CALIPSO), then the ip
     options are set on the socket.


security_sctp_bind_connect()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
as follows::

  ------------------------------------------------------------------
  |                   BIND Permission Checks                       |
  |       @optname             |         @address contains         |
  |----------------------------|-----------------------------------|
  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
  ------------------------------------------------------------------

  ------------------------------------------------------------------
  |                 CONNECT Permission Checks                      |
  |       @optname             |         @address contains         |
  |----------------------------|-----------------------------------|
  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
  ------------------------------------------------------------------


`SCTP LSM Support`_ gives a summary of the ``@optname``
entries and also describes ASCONF chunk processing when Dynamic Address
Reconfiguration is enabled.


security_sctp_sk_clone()
~~~~~~~~~~~~~~~~~~~~~~~~
Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
socket) or when a socket is 'peeled off' e.g userspace calls
**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
sockets sid and peer sid to that contained in the ``@ep sid`` and
``@ep peer sid`` respectively.
::

    @ep - pointer to current sctp endpoint structure.
    @sk - pointer to current sock structure.
    @sk - pointer to new sock structure.


security_inet_conn_established()
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Called when a COOKIE ACK is received where it sets the connection's peer sid
to that in ``@skb``::

    @sk  - pointer to sock structure.
    @skb - pointer to skbuff of the COOKIE ACK packet.


Policy Statements
-----------------
The following class and permissions to support SCTP are available within the
kernel::

    class sctp_socket inherits socket { node_bind }

whenever the following policy capability is enabled::

    policycap extended_socket_class;

SELinux SCTP support adds the ``name_connect`` permission for connecting
to a specific port type and the ``association`` permission that is explained
in the section below.

If userspace tools have been updated, SCTP will support the ``portcon``
statement as shown in the following example::

    portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0


SCTP Peer Labeling
------------------
An SCTP socket will only have one peer label assigned to it. This will be
assigned during the establishment of the first association. Any further
associations on this socket will have their packet peer label compared to
the sockets peer label, and only if they are different will the
``association`` permission be validated. This is validated by checking the
socket peer sid against the received packets peer sid to determine whether
the association should be allowed or denied.

NOTES:
   1) If peer labeling is not enabled, then the peer context will always be
      ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).

   2) As SCTP can support more than one transport address per endpoint
      (multi-homing) on a single socket, it is possible to configure policy
      and NetLabel to provide different peer labels for each of these. As the
      socket peer label is determined by the first associations transport
      address, it is recommended that all peer labels are consistent.

   3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
      context.

   4) While not SCTP specific, be aware when using NetLabel that if a label
      is assigned to a specific interface, and that interface 'goes down',
      then the NetLabel service will remove the entry. Therefore ensure that
      the network startup scripts call **netlabelctl**\(8) to set the required
      label (see **netlabel-config**\(8) helper script for details).

   5) The NetLabel SCTP peer labeling rules apply as discussed in the following
      set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.

   6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
      CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``

      Note the following when testing CIPSO/CALIPSO:
         a) CIPSO will send an ICMP packet if an SCTP packet cannot be
            delivered because of an invalid label.
         b) CALIPSO does not send an ICMP packet, just silently discards it.

   7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
      implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
      although the kernel supports SCTP/IPSEC.
Commit	Line	Data
d61330c6 KC	1	.. SPDX-License-Identifier: GPL-2.0
	2
	3	====
	4	SCTP
	5	====
	6
72e89f50 RH	7	SCTP LSM Support
	8	================
	9
d61330c6 KC	10	Security Hooks
	11	--------------
	12
72e89f50 RH	13	For security module support, three SCTP specific hooks have been implemented::
	14
	15	security_sctp_assoc_request()
	16	security_sctp_bind_connect()
	17	security_sctp_sk_clone()
	18
	19	Also the following security hook has been utilised::
	20
	21	security_inet_conn_established()
	22
	23	The usage of these hooks are described below with the SELinux implementation
d61330c6	24	described in the `SCTP SELinux Support`_ chapter.
72e89f50 RH	25
	26
	27	security_sctp_assoc_request()
d61330c6	28	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72e89f50 RH	29	Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
	30	security module. Returns 0 on success, error on failure.
	31	::
	32
	33	@ep - pointer to sctp endpoint structure.
	34	@skb - pointer to skbuff of association packet.
	35
	36
	37	security_sctp_bind_connect()
d61330c6	38	~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72e89f50 RH	39	Passes one or more ipv4/ipv6 addresses to the security module for validation
	40	based on the ``@optname`` that will result in either a bind or connect
	41	service as shown in the permission check tables below.
	42	Returns 0 on success, error on failure.
	43	::
	44
	45	@sk - Pointer to sock structure.
	46	@optname - Name of the option to validate.
	47	@address - One or more ipv4 / ipv6 addresses.
	48	@addrlen - The total length of address(s). This is calculated on each
	49	ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
	50	sizeof(struct sockaddr_in6).
	51
	52	------------------------------------------------------------------
	53	\| BIND Type Checks \|
	54	\| @optname \| @address contains \|
	55	\|----------------------------\|-----------------------------------\|
	56	\| SCTP_SOCKOPT_BINDX_ADD \| One or more ipv4 / ipv6 addresses \|
	57	\| SCTP_PRIMARY_ADDR \| Single ipv4 or ipv6 address \|
	58	\| SCTP_SET_PEER_PRIMARY_ADDR \| Single ipv4 or ipv6 address \|
	59	------------------------------------------------------------------
	60
	61	------------------------------------------------------------------
	62	\| CONNECT Type Checks \|
	63	\| @optname \| @address contains \|
	64	\|----------------------------\|-----------------------------------\|
	65	\| SCTP_SOCKOPT_CONNECTX \| One or more ipv4 / ipv6 addresses \|
	66	\| SCTP_PARAM_ADD_IP \| One or more ipv4 / ipv6 addresses \|
	67	\| SCTP_SENDMSG_CONNECT \| Single ipv4 or ipv6 address \|
	68	\| SCTP_PARAM_SET_PRIMARY \| Single ipv4 or ipv6 address \|
	69	------------------------------------------------------------------
	70
	71	A summary of the ``@optname`` entries is as follows::
	72
	73	SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
	74	associated after (optionally) calling
	75	bind(3).
	76	sctp_bindx(3) adds a set of bind
	77	addresses on a socket.
	78
	79	SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
	80	addresses for reaching a peer
	81	(multi-homed).
	82	sctp_connectx(3) initiates a connection
	83	on an SCTP socket using multiple
	84	destination addresses.
	85
	86	SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a
	87	sendmsg(2) or sctp_sendmsg(3) on a new asociation.
	88
	89	SCTP_PRIMARY_ADDR - Set local primary address.
	90
	91	SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
	92	association primary.
	93
	94	SCTP_PARAM_ADD_IP - These are used when Dynamic Address
	95	SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
	96
	97
	98	To support Dynamic Address Reconfiguration the following parameters must be
	99	enabled on both endpoints (or use the appropriate setsockopt\(2))::
	100
	101	/proc/sys/net/sctp/addip_enable
	102	/proc/sys/net/sctp/addip_noauth_enable
103
104	then the following _PARAM_'s are sent to the peer in an
105	ASCONF chunk when the corresponding ``@optname``'s are present::
106
107	@optname ASCONF Parameter
108	---------- ------------------
109	SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP
110	SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
111
112
113	security_sctp_sk_clone()
d61330c6	114	~~~~~~~~~~~~~~~~~~~~~~~~
72e89f50 RH	115	Called whenever a new socket is created by accept\(2)
	116	(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
	117	calls sctp_peeloff\(3).
	118	::
	119
	120	@ep - pointer to current sctp endpoint structure.
	121	@sk - pointer to current sock structure.
	122	@sk - pointer to new sock structure.
	123
	124
	125	security_inet_conn_established()
d61330c6	126	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
72e89f50 RH	127	Called when a COOKIE ACK is received::
	128
	129	@sk - pointer to sock structure.
	130	@skb - pointer to skbuff of the COOKIE ACK packet.
	131
	132
	133	Security Hooks used for Association Establishment
d61330c6 KC	134	-------------------------------------------------
d61330c6 KC	135
72e89f50 RH	136	The following diagram shows the use of ``security_sctp_bind_connect()``,
	137	``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
	138	establishing an association.
	139	::
	140
	141	SCTP endpoint "A" SCTP endpoint "Z"
	142	================= =================
	143	sctp_sf_do_prm_asoc()
	144	Association setup can be initiated
	145	by a connect(2), sctp_connectx(3),
	146	sendmsg(2) or sctp_sendmsg(3).
	147	These will result in a call to
	148	security_sctp_bind_connect() to
	149	initiate an association to
	150	SCTP peer endpoint "Z".
	151	INIT --------------------------------------------->
	152	sctp_sf_do_5_1B_init()
	153	Respond to an INIT chunk.
	154	SCTP peer endpoint "A" is
	155	asking for an association. Call
	156	security_sctp_assoc_request()
	157	to set the peer label if first
	158	association.
	159	If not first association, check
	160	whether allowed, IF so send:
	161	<----------------------------------------------- INIT ACK
	162	\| ELSE audit event and silently
	163	\| discard the packet.
	164	\|
	165	COOKIE ECHO ------------------------------------------>
	166	\|
	167	\|
	168	\|
	169	<------------------------------------------- COOKIE ACK
	170	\| \|
	171	sctp_sf_do_5_1E_ca \|
	172	Call security_inet_conn_established() \|
	173	to set the peer label. \|
	174	\| \|
	175	\| If SCTP_SOCKET_TCP or peeled off
	176	\| socket security_sctp_sk_clone() is
	177	\| called to clone the new socket.
	178	\| \|
	179	ESTABLISHED ESTABLISHED
	180	\| \|
	181	------------------------------------------------------------------
	182	\| Association Established \|
	183	------------------------------------------------------------------
	184
	185
d61330c6 KC	186	SCTP SELinux Support
	187	====================
	188
	189	Security Hooks
	190	--------------
	191
	192	The `SCTP LSM Support`_ chapter above describes the following SCTP security
	193	hooks with the SELinux specifics expanded below::
	194
	195	security_sctp_assoc_request()
	196	security_sctp_bind_connect()
	197	security_sctp_sk_clone()
	198	security_inet_conn_established()
	199
	200
	201	security_sctp_assoc_request()
	202	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	203	Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
	204	security module. Returns 0 on success, error on failure.
	205	::
	206
	207	@ep - pointer to sctp endpoint structure.
	208	@skb - pointer to skbuff of association packet.
	209
	210	The security module performs the following operations:
	211	IF this is the first association on ``@ep->base.sk``, then set the peer
	212	sid to that in ``@skb``. This will ensure there is only one peer sid
	213	assigned to ``@ep->base.sk`` that may support multiple associations.
	214
	215	ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
	216	to determine whether the association should be allowed or denied.
	217
	218	Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
	219	MLS portion taken from ``@skb peer sid``. This will be used by SCTP
	220	TCP style sockets and peeled off connections as they cause a new socket
	221	to be generated.
	222
	223	If IP security options are configured (CIPSO/CALIPSO), then the ip
	224	options are set on the socket.
	225
	226
	227	security_sctp_bind_connect()
	228	~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	229	Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
	230	as follows::
	231
	232	------------------------------------------------------------------
	233	\| BIND Permission Checks \|
	234	\| @optname \| @address contains \|
	235	\|----------------------------\|-----------------------------------\|
	236	\| SCTP_SOCKOPT_BINDX_ADD \| One or more ipv4 / ipv6 addresses \|
	237	\| SCTP_PRIMARY_ADDR \| Single ipv4 or ipv6 address \|
	238	\| SCTP_SET_PEER_PRIMARY_ADDR \| Single ipv4 or ipv6 address \|
	239	------------------------------------------------------------------
	240
	241	------------------------------------------------------------------
	242	\| CONNECT Permission Checks \|
	243	\| @optname \| @address contains \|
	244	\|----------------------------\|-----------------------------------\|
	245	\| SCTP_SOCKOPT_CONNECTX \| One or more ipv4 / ipv6 addresses \|
	246	\| SCTP_PARAM_ADD_IP \| One or more ipv4 / ipv6 addresses \|
	247	\| SCTP_SENDMSG_CONNECT \| Single ipv4 or ipv6 address \|
	248	\| SCTP_PARAM_SET_PRIMARY \| Single ipv4 or ipv6 address \|
	249	------------------------------------------------------------------
250
251
252	`SCTP LSM Support`_ gives a summary of the ``@optname``
253	entries and also describes ASCONF chunk processing when Dynamic Address
254	Reconfiguration is enabled.
255
256
257	security_sctp_sk_clone()
258	~~~~~~~~~~~~~~~~~~~~~~~~
259	Called whenever a new socket is created by accept\(2) (i.e. a TCP style
260	socket) or when a socket is 'peeled off' e.g userspace calls
261	sctp_peeloff\(3). ``security_sctp_sk_clone()`` will set the new
262	sockets sid and peer sid to that contained in the ``@ep sid`` and
263	``@ep peer sid`` respectively.
264	::
265
266	@ep - pointer to current sctp endpoint structure.
267	@sk - pointer to current sock structure.
268	@sk - pointer to new sock structure.
269
270
271	security_inet_conn_established()
272	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
273	Called when a COOKIE ACK is received where it sets the connection's peer sid
274	to that in ``@skb``::
275
276	@sk - pointer to sock structure.
277	@skb - pointer to skbuff of the COOKIE ACK packet.
278
279
280	Policy Statements
281	-----------------
282	The following class and permissions to support SCTP are available within the
283	kernel::
284
285	class sctp_socket inherits socket { node_bind }
286
287	whenever the following policy capability is enabled::
288
289	policycap extended_socket_class;
290
291	SELinux SCTP support adds the ``name_connect`` permission for connecting
292	to a specific port type and the ``association`` permission that is explained
293	in the section below.
294
295	If userspace tools have been updated, SCTP will support the ``portcon``
296	statement as shown in the following example::
297
298	portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
299
300
301	SCTP Peer Labeling
302	------------------
303	An SCTP socket will only have one peer label assigned to it. This will be
304	assigned during the establishment of the first association. Any further
305	associations on this socket will have their packet peer label compared to
306	the sockets peer label, and only if they are different will the
307	``association`` permission be validated. This is validated by checking the
308	socket peer sid against the received packets peer sid to determine whether
309	the association should be allowed or denied.
310
311	NOTES:
312	1) If peer labeling is not enabled, then the peer context will always be
313	``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
314
315	2) As SCTP can support more than one transport address per endpoint
316	(multi-homing) on a single socket, it is possible to configure policy
317	and NetLabel to provide different peer labels for each of these. As the
318	socket peer label is determined by the first associations transport
319	address, it is recommended that all peer labels are consistent.
320
321	3) getpeercon\(3) may be used by userspace to retrieve the sockets peer
322	context.
323
324	4) While not SCTP specific, be aware when using NetLabel that if a label
325	is assigned to a specific interface, and that interface 'goes down',
326	then the NetLabel service will remove the entry. Therefore ensure that
327	the network startup scripts call netlabelctl\(8) to set the required
328	label (see netlabel-config\(8) helper script for details).
329
330	5) The NetLabel SCTP peer labeling rules apply as discussed in the following
93431e06	331	set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.
d61330c6 KC	332
	333	6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
	334	CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``
	335
	336	Note the following when testing CIPSO/CALIPSO:
	337	a) CIPSO will send an ICMP packet if an SCTP packet cannot be
	338	delivered because of an invalid label.
	339	b) CALIPSO does not send an ICMP packet, just silently discards it.
	340
	341	7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
	342	implemented in userspace (racoon\(8) or ipsec_pluto\(8)),
	343	although the kernel supports SCTP/IPSEC.