Re: PATCH V5 4/4] selinux: Add SCTP support
On Thu, Jan 11, 2018 at 11:31:06AM +, Richard Haines wrote: > The SELinux SCTP implementation is explained in: > Documentation/security/SELinux-sctp.rst > > Signed-off-by: Richard Haines> --- > V5 Change: Rework selinux_netlbl_socket_connect() and > selinux_netlbl_socket_connect_locked as requested by Paul. > > Documentation/security/SELinux-sctp.rst | 157 ++ > security/selinux/hooks.c| 280 > +--- > security/selinux/include/classmap.h | 2 +- > security/selinux/include/netlabel.h | 21 ++- > security/selinux/include/objsec.h | 4 + > security/selinux/netlabel.c | 133 +-- > 6 files changed, 565 insertions(+), 32 deletions(-) > create mode 100644 Documentation/security/SELinux-sctp.rst > > diff --git a/Documentation/security/SELinux-sctp.rst > b/Documentation/security/SELinux-sctp.rst > new file mode 100644 > index 000..2f66bf3 > --- /dev/null > +++ b/Documentation/security/SELinux-sctp.rst > @@ -0,0 +1,157 @@ > +SCTP SELinux Support > += > + > +Security Hooks > +=== > + > +``Documentation/security/LSM-sctp.rst`` describes the following SCTP security > +hooks with the SELinux specifics expanded below:: > + > +security_sctp_assoc_request() > +security_sctp_bind_connect() > +security_sctp_sk_clone() > +security_inet_conn_established() > + > + > +security_sctp_assoc_request() > +- > +Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the > +security module. Returns 0 on success, error on failure. > +:: > + > +@ep - pointer to sctp endpoint structure. > +@skb - pointer to skbuff of association packet. > + > +The security module performs the following operations: > + IF this is the first association on ``@ep->base.sk``, then set the peer > + sid to that in ``@skb``. This will ensure there is only one peer sid > + assigned to ``@ep->base.sk`` that may support multiple associations. > + > + ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer > sid`` > + to determine whether the association should be allowed or denied. > + > + Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with > + MLS portion taken from ``@skb peer sid``. This will be used by SCTP > + TCP style sockets and peeled off connections as they cause a new socket > + to be generated. > + > + If IP security options are configured (CIPSO/CALIPSO), then the ip > + options are set on the socket. > + > + > +security_sctp_bind_connect() > +- > +Checks permissions required for ipv4/ipv6 addresses based on the ``@optname`` > +as follows:: > + > + -- > + | BIND Permission Checks | > + | @optname | @address contains | > + ||---| > + | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | > + | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | > + | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | > + -- > + > + -- > + | CONNECT Permission Checks | > + | @optname | @address contains | > + ||---| > + | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | > + | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | > + | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | > + | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | > + -- > + > + > +``Documentation/security/LSM-sctp.rst`` gives a summary of the ``@optname`` > +entries and also describes ASCONF chunk processing when Dynamic Address > +Reconfiguration is enabled. > + > + > +security_sctp_sk_clone() > +- > +Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style > +socket) or when a socket is 'peeled off' e.g userspace calls > +**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new > +sockets sid and peer sid to that contained in the ``@ep sid`` and > +``@ep peer sid`` respectively. > +:: > + > +@ep - pointer to current sctp endpoint structure. > +@sk - pointer to current sock structure. > +@sk - pointer to new sock structure. > + > + > +security_inet_conn_established() > +- > +Called when a COOKIE ACK is received where it sets the connection's peer sid > +to that in ``@skb``:: > + > +@sk - pointer to sock structure. > +
Re: PATCH V5 4/4] selinux: Add SCTP support
On Thu, Jan 11, 2018 at 6:31 AM, Richard Haineswrote: > The SELinux SCTP implementation is explained in: > Documentation/security/SELinux-sctp.rst > > Signed-off-by: Richard Haines > --- > V5 Change: Rework selinux_netlbl_socket_connect() and > selinux_netlbl_socket_connect_locked as requested by Paul. > > Documentation/security/SELinux-sctp.rst | 157 ++ > security/selinux/hooks.c| 280 > +--- > security/selinux/include/classmap.h | 2 +- > security/selinux/include/netlabel.h | 21 ++- > security/selinux/include/objsec.h | 4 + > security/selinux/netlabel.c | 133 +-- > 6 files changed, 565 insertions(+), 32 deletions(-) > create mode 100644 Documentation/security/SELinux-sctp.rst Thanks for the tweak. Assuming no objections from the SCTP folks, or anyone else for that matter, I'll merge this after the upcoming merge window closes. > diff --git a/Documentation/security/SELinux-sctp.rst > b/Documentation/security/SELinux-sctp.rst > new file mode 100644 > index 000..2f66bf3 > --- /dev/null > +++ b/Documentation/security/SELinux-sctp.rst > @@ -0,0 +1,157 @@ > +SCTP SELinux Support > += > + > +Security Hooks > +=== > + > +``Documentation/security/LSM-sctp.rst`` describes the following SCTP security > +hooks with the SELinux specifics expanded below:: > + > +security_sctp_assoc_request() > +security_sctp_bind_connect() > +security_sctp_sk_clone() > +security_inet_conn_established() > + > + > +security_sctp_assoc_request() > +- > +Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the > +security module. Returns 0 on success, error on failure. > +:: > + > +@ep - pointer to sctp endpoint structure. > +@skb - pointer to skbuff of association packet. > + > +The security module performs the following operations: > + IF this is the first association on ``@ep->base.sk``, then set the peer > + sid to that in ``@skb``. This will ensure there is only one peer sid > + assigned to ``@ep->base.sk`` that may support multiple associations. > + > + ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer > sid`` > + to determine whether the association should be allowed or denied. > + > + Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with > + MLS portion taken from ``@skb peer sid``. This will be used by SCTP > + TCP style sockets and peeled off connections as they cause a new socket > + to be generated. > + > + If IP security options are configured (CIPSO/CALIPSO), then the ip > + options are set on the socket. > + > + > +security_sctp_bind_connect() > +- > +Checks permissions required for ipv4/ipv6 addresses based on the ``@optname`` > +as follows:: > + > + -- > + | BIND Permission Checks | > + | @optname | @address contains | > + ||---| > + | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | > + | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | > + | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | > + -- > + > + -- > + | CONNECT Permission Checks | > + | @optname | @address contains | > + ||---| > + | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | > + | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | > + | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | > + | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | > + -- > + > + > +``Documentation/security/LSM-sctp.rst`` gives a summary of the ``@optname`` > +entries and also describes ASCONF chunk processing when Dynamic Address > +Reconfiguration is enabled. > + > + > +security_sctp_sk_clone() > +- > +Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style > +socket) or when a socket is 'peeled off' e.g userspace calls > +**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new > +sockets sid and peer sid to that contained in the ``@ep sid`` and > +``@ep peer sid`` respectively. > +:: > + > +@ep - pointer to current sctp endpoint structure. > +@sk - pointer to current sock structure. > +@sk - pointer to new sock structure. > + > + > +security_inet_conn_established() >
PATCH V5 4/4] selinux: Add SCTP support
The SELinux SCTP implementation is explained in: Documentation/security/SELinux-sctp.rst Signed-off-by: Richard Haines--- V5 Change: Rework selinux_netlbl_socket_connect() and selinux_netlbl_socket_connect_locked as requested by Paul. Documentation/security/SELinux-sctp.rst | 157 ++ security/selinux/hooks.c| 280 +--- security/selinux/include/classmap.h | 2 +- security/selinux/include/netlabel.h | 21 ++- security/selinux/include/objsec.h | 4 + security/selinux/netlabel.c | 133 +-- 6 files changed, 565 insertions(+), 32 deletions(-) create mode 100644 Documentation/security/SELinux-sctp.rst diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst new file mode 100644 index 000..2f66bf3 --- /dev/null +++ b/Documentation/security/SELinux-sctp.rst @@ -0,0 +1,157 @@ +SCTP SELinux Support += + +Security Hooks +=== + +``Documentation/security/LSM-sctp.rst`` describes the following SCTP security +hooks with the SELinux specifics expanded below:: + +security_sctp_assoc_request() +security_sctp_bind_connect() +security_sctp_sk_clone() +security_inet_conn_established() + + +security_sctp_assoc_request() +- +Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the +security module. Returns 0 on success, error on failure. +:: + +@ep - pointer to sctp endpoint structure. +@skb - pointer to skbuff of association packet. + +The security module performs the following operations: + IF this is the first association on ``@ep->base.sk``, then set the peer + sid to that in ``@skb``. This will ensure there is only one peer sid + assigned to ``@ep->base.sk`` that may support multiple associations. + + ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid`` + to determine whether the association should be allowed or denied. + + Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with + MLS portion taken from ``@skb peer sid``. This will be used by SCTP + TCP style sockets and peeled off connections as they cause a new socket + to be generated. + + If IP security options are configured (CIPSO/CALIPSO), then the ip + options are set on the socket. + + +security_sctp_bind_connect() +- +Checks permissions required for ipv4/ipv6 addresses based on the ``@optname`` +as follows:: + + -- + | BIND Permission Checks | + | @optname | @address contains | + ||---| + | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | + | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | + | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | + -- + + -- + | CONNECT Permission Checks | + | @optname | @address contains | + ||---| + | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | + | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | + | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | + | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | + -- + + +``Documentation/security/LSM-sctp.rst`` gives a summary of the ``@optname`` +entries and also describes ASCONF chunk processing when Dynamic Address +Reconfiguration is enabled. + + +security_sctp_sk_clone() +- +Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style +socket) or when a socket is 'peeled off' e.g userspace calls +**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new +sockets sid and peer sid to that contained in the ``@ep sid`` and +``@ep peer sid`` respectively. +:: + +@ep - pointer to current sctp endpoint structure. +@sk - pointer to current sock structure. +@sk - pointer to new sock structure. + + +security_inet_conn_established() +- +Called when a COOKIE ACK is received where it sets the connection's peer sid +to that in ``@skb``:: + +@sk - pointer to sock structure. +@skb - pointer to skbuff of the COOKIE ACK packet. + + +Policy Statements +== +The following class and permissions to support SCTP are available within the +kernel:: + +class sctp_socket inherits socket { node_bind } + +whenever the following policy capability is enabled:: + +