cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

SCTP.rst (14729B)


      1.. SPDX-License-Identifier: GPL-2.0
      2
      3====
      4SCTP
      5====
      6
      7SCTP LSM Support
      8================
      9
     10Security Hooks
     11--------------
     12
     13For security module support, three SCTP specific hooks have been implemented::
     14
     15    security_sctp_assoc_request()
     16    security_sctp_bind_connect()
     17    security_sctp_sk_clone()
     18    security_sctp_assoc_established()
     19
     20The usage of these hooks are described below with the SELinux implementation
     21described in the `SCTP SELinux Support`_ chapter.
     22
     23
     24security_sctp_assoc_request()
     25~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     26Passes the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the
     27security module. Returns 0 on success, error on failure.
     28::
     29
     30    @asoc - pointer to sctp association structure.
     31    @skb - pointer to skbuff of association packet.
     32
     33
     34security_sctp_bind_connect()
     35~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     36Passes one or more ipv4/ipv6 addresses to the security module for validation
     37based on the ``@optname`` that will result in either a bind or connect
     38service as shown in the permission check tables below.
     39Returns 0 on success, error on failure.
     40::
     41
     42    @sk      - Pointer to sock structure.
     43    @optname - Name of the option to validate.
     44    @address - One or more ipv4 / ipv6 addresses.
     45    @addrlen - The total length of address(s). This is calculated on each
     46               ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
     47               sizeof(struct sockaddr_in6).
     48
     49  ------------------------------------------------------------------
     50  |                     BIND Type Checks                           |
     51  |       @optname             |         @address contains         |
     52  |----------------------------|-----------------------------------|
     53  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
     54  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
     55  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
     56  ------------------------------------------------------------------
     57
     58  ------------------------------------------------------------------
     59  |                   CONNECT Type Checks                          |
     60  |       @optname             |         @address contains         |
     61  |----------------------------|-----------------------------------|
     62  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
     63  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
     64  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
     65  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
     66  ------------------------------------------------------------------
     67
     68A summary of the ``@optname`` entries is as follows::
     69
     70    SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
     71                             associated after (optionally) calling
     72                             bind(3).
     73                             sctp_bindx(3) adds a set of bind
     74                             addresses on a socket.
     75
     76    SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
     77                            addresses for reaching a peer
     78                            (multi-homed).
     79                            sctp_connectx(3) initiates a connection
     80                            on an SCTP socket using multiple
     81                            destination addresses.
     82
     83    SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
     84                            sendmsg(2) or sctp_sendmsg(3) on a new asociation.
     85
     86    SCTP_PRIMARY_ADDR     - Set local primary address.
     87
     88    SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
     89                                 association primary.
     90
     91    SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
     92    SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.
     93
     94
     95To support Dynamic Address Reconfiguration the following parameters must be
     96enabled on both endpoints (or use the appropriate **setsockopt**\(2))::
     97
     98    /proc/sys/net/sctp/addip_enable
     99    /proc/sys/net/sctp/addip_noauth_enable
    100
    101then the following *_PARAM_*'s are sent to the peer in an
    102ASCONF chunk when the corresponding ``@optname``'s are present::
    103
    104          @optname                      ASCONF Parameter
    105         ----------                    ------------------
    106    SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
    107    SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY
    108
    109
    110security_sctp_sk_clone()
    111~~~~~~~~~~~~~~~~~~~~~~~~
    112Called whenever a new socket is created by **accept**\(2)
    113(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
    114calls **sctp_peeloff**\(3).
    115::
    116
    117    @asoc - pointer to current sctp association structure.
    118    @sk - pointer to current sock structure.
    119    @newsk - pointer to new sock structure.
    120
    121
    122security_sctp_assoc_established()
    123~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    124Called when a COOKIE ACK is received, and the peer secid will be
    125saved into ``@asoc->peer_secid`` for client::
    126
    127    @asoc - pointer to sctp association structure.
    128    @skb - pointer to skbuff of the COOKIE ACK packet.
    129
    130
    131Security Hooks used for Association Establishment
    132-------------------------------------------------
    133
    134The following diagram shows the use of ``security_sctp_bind_connect()``,
    135``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when
    136establishing an association.
    137::
    138
    139      SCTP endpoint "A"                                SCTP endpoint "Z"
    140      =================                                =================
    141    sctp_sf_do_prm_asoc()
    142 Association setup can be initiated
    143 by a connect(2), sctp_connectx(3),
    144 sendmsg(2) or sctp_sendmsg(3).
    145 These will result in a call to
    146 security_sctp_bind_connect() to
    147 initiate an association to
    148 SCTP peer endpoint "Z".
    149         INIT --------------------------------------------->
    150                                                   sctp_sf_do_5_1B_init()
    151                                                 Respond to an INIT chunk.
    152                                             SCTP peer endpoint "A" is asking
    153                                             for a temporary association.
    154                                             Call security_sctp_assoc_request()
    155                                             to set the peer label if first
    156                                             association.
    157                                             If not first association, check
    158                                             whether allowed, IF so send:
    159          <----------------------------------------------- INIT ACK
    160          |                                  ELSE audit event and silently
    161          |                                       discard the packet.
    162          |
    163    COOKIE ECHO ------------------------------------------>
    164                                                  sctp_sf_do_5_1D_ce()
    165                                             Respond to an COOKIE ECHO chunk.
    166                                             Confirm the cookie and create a
    167                                             permanent association.
    168                                             Call security_sctp_assoc_request() to
    169                                             do the same as for INIT chunk Response.
    170          <------------------------------------------- COOKIE ACK
    171          |                                               |
    172    sctp_sf_do_5_1E_ca                                    |
    173 Call security_sctp_assoc_established()                   |
    174 to set the peer label.                                   |
    175          |                                               |
    176          |                               If SCTP_SOCKET_TCP or peeled off
    177          |                               socket security_sctp_sk_clone() is
    178          |                               called to clone the new socket.
    179          |                                               |
    180      ESTABLISHED                                    ESTABLISHED
    181          |                                               |
    182    ------------------------------------------------------------------
    183    |                     Association Established                    |
    184    ------------------------------------------------------------------
    185
    186
    187SCTP SELinux Support
    188====================
    189
    190Security Hooks
    191--------------
    192
    193The `SCTP LSM Support`_ chapter above describes the following SCTP security
    194hooks with the SELinux specifics expanded below::
    195
    196    security_sctp_assoc_request()
    197    security_sctp_bind_connect()
    198    security_sctp_sk_clone()
    199    security_sctp_assoc_established()
    200
    201
    202security_sctp_assoc_request()
    203~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    204Passes the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the
    205security module. Returns 0 on success, error on failure.
    206::
    207
    208    @asoc - pointer to sctp association structure.
    209    @skb - pointer to skbuff of association packet.
    210
    211The security module performs the following operations:
    212     IF this is the first association on ``@asoc->base.sk``, then set the peer
    213     sid to that in ``@skb``. This will ensure there is only one peer sid
    214     assigned to ``@asoc->base.sk`` that may support multiple associations.
    215
    216     ELSE validate the ``@asoc->base.sk peer_sid`` against the ``@skb peer sid``
    217     to determine whether the association should be allowed or denied.
    218
    219     Set the sctp ``@asoc sid`` to socket's sid (from ``asoc->base.sk``) with
    220     MLS portion taken from ``@skb peer sid``. This will be used by SCTP
    221     TCP style sockets and peeled off connections as they cause a new socket
    222     to be generated.
    223
    224     If IP security options are configured (CIPSO/CALIPSO), then the ip
    225     options are set on the socket.
    226
    227
    228security_sctp_bind_connect()
    229~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    230Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
    231as follows::
    232
    233  ------------------------------------------------------------------
    234  |                   BIND Permission Checks                       |
    235  |       @optname             |         @address contains         |
    236  |----------------------------|-----------------------------------|
    237  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
    238  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
    239  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
    240  ------------------------------------------------------------------
    241
    242  ------------------------------------------------------------------
    243  |                 CONNECT Permission Checks                      |
    244  |       @optname             |         @address contains         |
    245  |----------------------------|-----------------------------------|
    246  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
    247  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
    248  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
    249  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
    250  ------------------------------------------------------------------
    251
    252
    253`SCTP LSM Support`_ gives a summary of the ``@optname``
    254entries and also describes ASCONF chunk processing when Dynamic Address
    255Reconfiguration is enabled.
    256
    257
    258security_sctp_sk_clone()
    259~~~~~~~~~~~~~~~~~~~~~~~~
    260Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
    261socket) or when a socket is 'peeled off' e.g userspace calls
    262**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
    263sockets sid and peer sid to that contained in the ``@asoc sid`` and
    264``@asoc peer sid`` respectively.
    265::
    266
    267    @asoc - pointer to current sctp association structure.
    268    @sk - pointer to current sock structure.
    269    @newsk - pointer to new sock structure.
    270
    271
    272security_sctp_assoc_established()
    273~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    274Called when a COOKIE ACK is received where it sets the connection's peer sid
    275to that in ``@skb``::
    276
    277    @asoc - pointer to sctp association structure.
    278    @skb - pointer to skbuff of the COOKIE ACK packet.
    279
    280
    281Policy Statements
    282-----------------
    283The following class and permissions to support SCTP are available within the
    284kernel::
    285
    286    class sctp_socket inherits socket { node_bind }
    287
    288whenever the following policy capability is enabled::
    289
    290    policycap extended_socket_class;
    291
    292SELinux SCTP support adds the ``name_connect`` permission for connecting
    293to a specific port type and the ``association`` permission that is explained
    294in the section below.
    295
    296If userspace tools have been updated, SCTP will support the ``portcon``
    297statement as shown in the following example::
    298
    299    portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
    300
    301
    302SCTP Peer Labeling
    303------------------
    304An SCTP socket will only have one peer label assigned to it. This will be
    305assigned during the establishment of the first association. Any further
    306associations on this socket will have their packet peer label compared to
    307the sockets peer label, and only if they are different will the
    308``association`` permission be validated. This is validated by checking the
    309socket peer sid against the received packets peer sid to determine whether
    310the association should be allowed or denied.
    311
    312NOTES:
    313   1) If peer labeling is not enabled, then the peer context will always be
    314      ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
    315
    316   2) As SCTP can support more than one transport address per endpoint
    317      (multi-homing) on a single socket, it is possible to configure policy
    318      and NetLabel to provide different peer labels for each of these. As the
    319      socket peer label is determined by the first associations transport
    320      address, it is recommended that all peer labels are consistent.
    321
    322   3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
    323      context.
    324
    325   4) While not SCTP specific, be aware when using NetLabel that if a label
    326      is assigned to a specific interface, and that interface 'goes down',
    327      then the NetLabel service will remove the entry. Therefore ensure that
    328      the network startup scripts call **netlabelctl**\(8) to set the required
    329      label (see **netlabel-config**\(8) helper script for details).
    330
    331   5) The NetLabel SCTP peer labeling rules apply as discussed in the following
    332      set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.
    333
    334   6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
    335      CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``
    336
    337      Note the following when testing CIPSO/CALIPSO:
    338         a) CIPSO will send an ICMP packet if an SCTP packet cannot be
    339            delivered because of an invalid label.
    340         b) CALIPSO does not send an ICMP packet, just silently discards it.
    341
    342   7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
    343      implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
    344      although the kernel supports SCTP/IPSEC.