4 For security module support, three SCTP specific hooks have been implemented::
6 security_sctp_assoc_request()
7 security_sctp_bind_connect()
8 security_sctp_sk_clone()
10 Also the following security hook has been utilised::
12 security_inet_conn_established()
14 The usage of these hooks are described below with the SELinux implementation
15 described in ``Documentation/security/SELinux-sctp.rst``
18 security_sctp_assoc_request()
19 -----------------------------
20 Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
21 security module. Returns 0 on success, error on failure.
24 @ep - pointer to sctp endpoint structure.
25 @skb - pointer to skbuff of association packet.
28 security_sctp_bind_connect()
29 -----------------------------
30 Passes one or more ipv4/ipv6 addresses to the security module for validation
31 based on the ``@optname`` that will result in either a bind or connect
32 service as shown in the permission check tables below.
33 Returns 0 on success, error on failure.
36 @sk - Pointer to sock structure.
37 @optname - Name of the option to validate.
38 @address - One or more ipv4 / ipv6 addresses.
39 @addrlen - The total length of address(s). This is calculated on each
40 ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
41 sizeof(struct sockaddr_in6).
43 ------------------------------------------------------------------
45 | @optname | @address contains |
46 |----------------------------|-----------------------------------|
47 | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
48 | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
49 | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
50 ------------------------------------------------------------------
52 ------------------------------------------------------------------
53 | CONNECT Type Checks |
54 | @optname | @address contains |
55 |----------------------------|-----------------------------------|
56 | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
57 | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
58 | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
59 | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
60 ------------------------------------------------------------------
62 A summary of the ``@optname`` entries is as follows::
64 SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
65 associated after (optionally) calling
67 sctp_bindx(3) adds a set of bind
68 addresses on a socket.
70 SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
71 addresses for reaching a peer
73 sctp_connectx(3) initiates a connection
74 on an SCTP socket using multiple
75 destination addresses.
77 SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a
78 sendmsg(2) or sctp_sendmsg(3) on a new asociation.
80 SCTP_PRIMARY_ADDR - Set local primary address.
82 SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
85 SCTP_PARAM_ADD_IP - These are used when Dynamic Address
86 SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
89 To support Dynamic Address Reconfiguration the following parameters must be
90 enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
92 /proc/sys/net/sctp/addip_enable
93 /proc/sys/net/sctp/addip_noauth_enable
95 then the following *_PARAM_*'s are sent to the peer in an
96 ASCONF chunk when the corresponding ``@optname``'s are present::
98 @optname ASCONF Parameter
99 ---------- ------------------
100 SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP
101 SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
104 security_sctp_sk_clone()
105 -------------------------
106 Called whenever a new socket is created by **accept**\(2)
107 (i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
108 calls **sctp_peeloff**\(3).
111 @ep - pointer to current sctp endpoint structure.
112 @sk - pointer to current sock structure.
113 @sk - pointer to new sock structure.
116 security_inet_conn_established()
117 ---------------------------------
118 Called when a COOKIE ACK is received::
120 @sk - pointer to sock structure.
121 @skb - pointer to skbuff of the COOKIE ACK packet.
124 Security Hooks used for Association Establishment
125 =================================================
126 The following diagram shows the use of ``security_sctp_bind_connect()``,
127 ``security_sctp_assoc_request()``, ``security_inet_conn_established()`` when
128 establishing an association.
131 SCTP endpoint "A" SCTP endpoint "Z"
132 ================= =================
133 sctp_sf_do_prm_asoc()
134 Association setup can be initiated
135 by a connect(2), sctp_connectx(3),
136 sendmsg(2) or sctp_sendmsg(3).
137 These will result in a call to
138 security_sctp_bind_connect() to
139 initiate an association to
140 SCTP peer endpoint "Z".
141 INIT --------------------------------------------->
142 sctp_sf_do_5_1B_init()
143 Respond to an INIT chunk.
144 SCTP peer endpoint "A" is
145 asking for an association. Call
146 security_sctp_assoc_request()
147 to set the peer label if first
149 If not first association, check
150 whether allowed, IF so send:
151 <----------------------------------------------- INIT ACK
152 | ELSE audit event and silently
153 | discard the packet.
155 COOKIE ECHO ------------------------------------------>
159 <------------------------------------------- COOKIE ACK
162 Call security_inet_conn_established() |
163 to set the peer label. |
165 | If SCTP_SOCKET_TCP or peeled off
166 | socket security_sctp_sk_clone() is
167 | called to clone the new socket.
169 ESTABLISHED ESTABLISHED
171 ------------------------------------------------------------------
172 | Association Established |
173 ------------------------------------------------------------------
projects / mirror_ubuntu-eoan-kernel.git / blob