[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171031164153.GC3675@localhost.localdomain>
Date: Tue, 31 Oct 2017 14:41:53 -0200
From: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>
To: Richard Haines <richard_c_haines@...nternet.com>
Cc: selinux@...ho.nsa.gov, netdev@...r.kernel.org,
linux-sctp@...r.kernel.org, linux-security-module@...r.kernel.org,
paul@...l-moore.com, vyasevich@...il.com, nhorman@...driver.com,
sds@...ho.nsa.gov, eparis@...isplace.org
Subject: Re: [RFC PATCH 1/5] security: Add support for SCTP security hooks
On Tue, Oct 17, 2017 at 03:02:47PM +0100, Richard Haines wrote:
> The SCTP security hooks are explained in:
> Documentation/security/LSM-sctp.txt
>
> Signed-off-by: Richard Haines <richard_c_haines@...nternet.com>
> ---
> Documentation/security/LSM-sctp.txt | 212 ++++++++++++++++++++++++++++++++++++
> include/linux/lsm_hooks.h | 37 +++++++
> include/linux/security.h | 27 +++++
> security/security.c | 23 ++++
> 4 files changed, 299 insertions(+)
> create mode 100644 Documentation/security/LSM-sctp.txt
>
> diff --git a/Documentation/security/LSM-sctp.txt b/Documentation/security/LSM-sctp.txt
> new file mode 100644
> index 0000000..30fe9b5
> --- /dev/null
> +++ b/Documentation/security/LSM-sctp.txt
> @@ -0,0 +1,212 @@
> + SCTP LSM Support
> + ==================
> +
> +For security module support, three sctp specific hooks have been implemented:
> + security_sctp_assoc_request()
> + security_sctp_bind_connect()
> + security_sctp_sk_clone()
> +
> +Also the following security hook has been utilised:
> + security_inet_conn_established()
> +
> +The usage of these hooks are described below with the SELinux implementation
> +described in Documentation/security/SELinux-sctp.txt
> +
> +
> +security_sctp_assoc_request()
> +------------------------------
> +This new hook has been added to net/sctp/sm_statefuns.c where it passes the
> +@ep and @chunk->skb (the association INIT or INIT ACK packet) to the security
> +module. Returns 0 on success, error on failure.
> +
> + @ep - pointer to sctp endpoint structure.
> + @skb - pointer to skbuff of association packet.
> + @sctp_cid - set to sctp packet type (SCTP_CID_INIT or SCTP_CID_INIT_ACK).
> +
> +The security module performs the following operations:
> + 1) If this is the first association on @ep->base.sk, then set the peer sid
> + to that in @skb. This will ensure there is only one peer sid assigned
> + to @ep->base.sk that may support multiple associations.
> +
> + 2) If not the first association, validate the @ep->base.sk peer_sid against
> + the @skb peer sid to determine whether the association should be allowed
> + or denied.
> +
> + 3) If @sctp_cid = SCTP_CID_INIT, then set the sctp @ep sid to socket's sid
> + (from ep->base.sk) with MLS portion taken from @skb peer sid. This will
> + only be used by SCTP TCP style sockets and peeled off connections as they
> + cause a new socket to be generated.
> +
> + If IP security options are configured (CIPSO/CALIPSO), then the ip options
> + are set on the socket.
> +
> + To support this hook include/net/sctp/structs.h "struct sctp_endpoint"
> + has been updated with the following:
> +
> + /* Security identifiers from incoming (INIT). These are set by
> + * security_sctp_assoc_request(). These will only be used by
> + * SCTP TCP type sockets and peeled off connections as they
> + * cause a new socket to be generated. security_sctp_sk_clone()
> + * will then plug these into the new socket.
> + */
> + u32 secid;
> + u32 peer_secid;
> +
> +
> +security_sctp_bind_connect()
> +-----------------------------
> +This new hook has been added to net/sctp/socket.c and net/sctp/sm_make_chunk.c.
> +It passes one or more ipv4/ipv6 addresses to the security module for
> +validation based on the @optname that will result in either a bind or connect
> +service as shown in the permission check tables below.
> +Returns 0 on success, error on failure.
> +
> + @sk - Pointer to sock structure.
> + @optname - Name of the option to validate.
> + @address - One or more ipv4 / ipv6 addresses.
> + @addrlen - The total length of address(s). This is calculated on each
> + ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
> + sizeof(struct sockaddr_in6).
> +
> + ------------------------------------------------------------------
> + | BIND Type Checks |
> + | @optname | @address contains |
> + |----------------------------|-----------------------------------|
> + | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
> + | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
> + | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
> + ------------------------------------------------------------------
> +
> + ------------------------------------------------------------------
> + | CONNECT Type Checks |
> + | @optname | @address contains |
> + |----------------------------|-----------------------------------|
> + | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
> + | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
> + | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
> + | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
> + ------------------------------------------------------------------
> +
> +A summary of the @optname entries is as follows:
> +
> + SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
> + associated after (optionally) calling
> + bind(3).
> + sctp_bindx(3) adds a set of bind
> + addresses on a socket.
Nit, indentation issue above.
Powered by blists - more mailing lists