[RFC PATCH 1/5] security: Add support for SCTP security hooks
Richard Haines
richard_c_haines at btinternet.com
Wed Nov 1 21:38:23 UTC 2017
On Tue, 2017-10-31 at 14:41 -0200, Marcelo Ricardo Leitner wrote:
> On Tue, Oct 17, 2017 at 03:02:47PM +0100, Richard Haines wrote:
> > The SCTP security hooks are explained in:
> > Documentation/security/LSM-sctp.txt
> >
> > Signed-off-by: Richard Haines <richard_c_haines at btinternet.com>
> > ---
> > Documentation/security/LSM-sctp.txt | 212
> > ++++++++++++++++++++++++++++++++++++
> > include/linux/lsm_hooks.h | 37 +++++++
> > include/linux/security.h | 27 +++++
> > security/security.c | 23 ++++
> > 4 files changed, 299 insertions(+)
> > create mode 100644 Documentation/security/LSM-sctp.txt
> >
> > diff --git a/Documentation/security/LSM-sctp.txt
> > b/Documentation/security/LSM-sctp.txt
> > new file mode 100644
> > index 0000000..30fe9b5
> > --- /dev/null
> > +++ b/Documentation/security/LSM-sctp.txt
> > @@ -0,0 +1,212 @@
> > + SCTP LSM Support
> > + ==================
> > +
> > +For security module support, three sctp specific hooks have been
> > implemented:
> > + security_sctp_assoc_request()
> > + security_sctp_bind_connect()
> > + security_sctp_sk_clone()
> > +
> > +Also the following security hook has been utilised:
> > + security_inet_conn_established()
> > +
> > +The usage of these hooks are described below with the SELinux
> > implementation
> > +described in Documentation/security/SELinux-sctp.txt
> > +
> > +
> > +security_sctp_assoc_request()
> > +------------------------------
> > +This new hook has been added to net/sctp/sm_statefuns.c where it
> > passes the
> > + at ep and @chunk->skb (the association INIT or INIT ACK packet) to
> > the security
> > +module. Returns 0 on success, error on failure.
> > +
> > + @ep - pointer to sctp endpoint structure.
> > + @skb - pointer to skbuff of association packet.
> > + @sctp_cid - set to sctp packet type (SCTP_CID_INIT or
> > SCTP_CID_INIT_ACK).
> > +
> > +The security module performs the following operations:
> > + 1) If this is the first association on @ep->base.sk, then set
> > the peer sid
> > + to that in @skb. This will ensure there is only one peer sid
> > assigned
> > + to @ep->base.sk that may support multiple associations.
> > +
> > + 2) If not the first association, validate the @ep->base.sk
> > peer_sid against
> > + the @skb peer sid to determine whether the association should
> > be allowed
> > + or denied.
> > +
> > + 3) If @sctp_cid = SCTP_CID_INIT, then set the sctp @ep sid to
> > socket's sid
> > + (from ep->base.sk) with MLS portion taken from @skb peer sid.
> > This will
> > + only be used by SCTP TCP style sockets and peeled off
> > connections as they
> > + cause a new socket to be generated.
> > +
> > + If IP security options are configured (CIPSO/CALIPSO), then
> > the ip options
> > + are set on the socket.
> > +
> > + To support this hook include/net/sctp/structs.h "struct
> > sctp_endpoint"
> > + has been updated with the following:
> > +
> > + /* Security identifiers from incoming (INIT). These are
> > set by
> > + * security_sctp_assoc_request(). These will only be used
> > by
> > + * SCTP TCP type sockets and peeled off connections as
> > they
> > + * cause a new socket to be generated.
> > security_sctp_sk_clone()
> > + * will then plug these into the new socket.
> > + */
> > + u32 secid;
> > + u32 peer_secid;
> > +
> > +
> > +security_sctp_bind_connect()
> > +-----------------------------
> > +This new hook has been added to net/sctp/socket.c and
> > net/sctp/sm_make_chunk.c.
> > +It passes one or more ipv4/ipv6 addresses to the security module
> > for
> > +validation based on the @optname that will result in either a bind
> > or connect
> > +service as shown in the permission check tables below.
> > +Returns 0 on success, error on failure.
> > +
> > + @sk - Pointer to sock structure.
> > + @optname - Name of the option to validate.
> > + @address - One or more ipv4 / ipv6 addresses.
> > + @addrlen - The total length of address(s). This is calculated
> > on each
> > + ipv4 or ipv6 address using sizeof(struct
> > sockaddr_in) or
> > + sizeof(struct sockaddr_in6).
> > +
> > + --------------------------------------------------------------
> > ----
> > + | BIND Type
> > Checks |
> > + | @optname | @address
> > contains |
> > + |----------------------------|--------------------------------
> > ---|
> > + | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses
> > |
> > + | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6
> > address |
> > + | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6
> > address |
> > + --------------------------------------------------------------
> > ----
> > +
> > + --------------------------------------------------------------
> > ----
> > + | CONNECT Type
> > Checks |
> > + | @optname | @address
> > contains |
> > + |----------------------------|--------------------------------
> > ---|
> > + | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses
> > |
> > + | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses
> > |
> > + | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6
> > address |
> > + | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6
> > address |
> > + --------------------------------------------------------------
> > ----
> > +
> > +A summary of the @optname entries is as follows:
> > +
> > + SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to
> > be
> > + associated after (optionally) calling
> > + bind(3).
> > + sctp_bindx(3) adds a set of bind
> > + addresses on a socket.
>
> Nit, indentation issue above.
The nit has been squashed
Thanks for all your comments
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
More information about the Linux-security-module-archive
mailing list