Re: [PATCH V4 3/4] sctp: Add LSM hooks

2018-01-02 Thread Marcelo Ricardo Leitner 
On Sat, Dec 30, 2017 at 05:20:13PM +, Richard Haines wrote:
> Add security hooks to allow security modules to exercise access control
> over SCTP.
> 
> Signed-off-by: Richard Haines 

Acked-by: Marcelo Ricardo Leitner 

> ---
>  include/net/sctp/structs.h | 10 
>  include/uapi/linux/sctp.h  |  1 +
>  net/sctp/sm_make_chunk.c   | 12 +
>  net/sctp/sm_statefuns.c| 18 ++
>  net/sctp/socket.c  | 61 
> +-
>  5 files changed, 101 insertions(+), 1 deletion(-)
> 
> diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> index 9942ed5..2ca0a3f 100644
> --- a/include/net/sctp/structs.h
> +++ b/include/net/sctp/structs.h
> @@ -1271,6 +1271,16 @@ struct sctp_endpoint {
> reconf_enable:1;
>  
>   __u8  strreset_enable;
> +
> + /* Security identifiers from incoming (INIT). These are set by
> +  * security_sctp_assoc_request(). These will only be used by
> +  * SCTP TCP type sockets and peeled off connections as they
> +  * cause a new socket to be generated. security_sctp_sk_clone()
> +  * will then plug these into the new socket.
> +  */
> +
> + u32 secid;
> + u32 peer_secid;
>  };
>  
>  /* Recover the outter endpoint structure. */
> diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> index cfe9712..cafac36 100644
> --- a/include/uapi/linux/sctp.h
> +++ b/include/uapi/linux/sctp.h
> @@ -123,6 +123,7 @@ typedef __s32 sctp_assoc_t;
>  #define SCTP_RESET_ASSOC 120
>  #define SCTP_ADD_STREAMS 121
>  #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> +#define SCTP_SENDMSG_CONNECT 123
>  
>  /* PR-SCTP policies */
>  #define SCTP_PR_SCTP_NONE0x
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 514465b..269fd3d 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -3054,6 +3054,12 @@ static __be16 sctp_process_asconf_param(struct 
> sctp_association *asoc,
>   if (af->is_any())
>   memcpy(, >source, sizeof(addr));
>  
> + if (security_sctp_bind_connect(asoc->ep->base.sk,
> +SCTP_PARAM_ADD_IP,
> +(struct sockaddr *),
> +af->sockaddr_len))
> + return SCTP_ERROR_REQ_REFUSED;
> +
>   /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
>* request and does not have the local resources to add this
>* new address to the association, it MUST return an Error
> @@ -3120,6 +3126,12 @@ static __be16 sctp_process_asconf_param(struct 
> sctp_association *asoc,
>   if (af->is_any())
>   memcpy(, sctp_source(asconf), sizeof(addr));
>  
> + if (security_sctp_bind_connect(asoc->ep->base.sk,
> +SCTP_PARAM_SET_PRIMARY,
> +(struct sockaddr *),
> +af->sockaddr_len))
> + return SCTP_ERROR_REQ_REFUSED;
> +
>   peer = sctp_assoc_lookup_paddr(asoc, );
>   if (!peer)
>   return SCTP_ERROR_DNS_FAILED;
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index 8f8ccde..a2dfc5a 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -318,6 +318,11 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net 
> *net,
>   struct sctp_packet *packet;
>   int len;
>  
> + /* Update socket peer label if first association. */
> + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> + chunk->skb))
> + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> +
>   /* 6.10 Bundling
>* An endpoint MUST NOT bundle INIT, INIT ACK or
>* SHUTDOWN COMPLETE with any other chunks.
> @@ -905,6 +910,9 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
>*/
>   sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
>  
> + /* Set peer label for connection. */
> + security_inet_conn_established(ep->base.sk, chunk->skb);
> +
>   /* RFC 2960 5.1 Normal Establishment of an Association
>*
>* E) Upon reception of the COOKIE ACK, endpoint "A" will move
> @@ -1433,6 +1441,11 @@ static enum sctp_disposition 
> sctp_sf_do_unexpected_init(
>   struct sctp_packet *packet;
>   int len;
>  
> + /* Update socket peer label if first association. */
> + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> + chunk->skb))
> + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> +
>   /* 6.10 Bundling
>* An endpoint MUST NOT bundle INIT, INIT ACK or
>

[PATCH V4 3/4] sctp: Add LSM hooks

2018-01-02 Thread Richard Haines 
Add security hooks to allow security modules to exercise access control
over SCTP.

Signed-off-by: Richard Haines 
---
 include/net/sctp/structs.h | 10 
 include/uapi/linux/sctp.h  |  1 +
 net/sctp/sm_make_chunk.c   | 12 +
 net/sctp/sm_statefuns.c| 18 ++
 net/sctp/socket.c  | 61 +-
 5 files changed, 101 insertions(+), 1 deletion(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 9942ed5..2ca0a3f 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1271,6 +1271,16 @@ struct sctp_endpoint {
  reconf_enable:1;
 
__u8  strreset_enable;
+
+   /* Security identifiers from incoming (INIT). These are set by
+* security_sctp_assoc_request(). These will only be used by
+* SCTP TCP type sockets and peeled off connections as they
+* cause a new socket to be generated. security_sctp_sk_clone()
+* will then plug these into the new socket.
+*/
+
+   u32 secid;
+   u32 peer_secid;
 };
 
 /* Recover the outter endpoint structure. */
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index cfe9712..cafac36 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -123,6 +123,7 @@ typedef __s32 sctp_assoc_t;
 #define SCTP_RESET_ASSOC   120
 #define SCTP_ADD_STREAMS   121
 #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
+#define SCTP_SENDMSG_CONNECT   123
 
 /* PR-SCTP policies */
 #define SCTP_PR_SCTP_NONE  0x
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 514465b..269fd3d 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3054,6 +3054,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, >source, sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_ADD_IP,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
 * request and does not have the local resources to add this
 * new address to the association, it MUST return an Error
@@ -3120,6 +3126,12 @@ static __be16 sctp_process_asconf_param(struct 
sctp_association *asoc,
if (af->is_any())
memcpy(, sctp_source(asconf), sizeof(addr));
 
+   if (security_sctp_bind_connect(asoc->ep->base.sk,
+  SCTP_PARAM_SET_PRIMARY,
+  (struct sockaddr *),
+  af->sockaddr_len))
+   return SCTP_ERROR_REQ_REFUSED;
+
peer = sctp_assoc_lookup_paddr(asoc, );
if (!peer)
return SCTP_ERROR_DNS_FAILED;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 8f8ccde..a2dfc5a 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -318,6 +318,11 @@ enum sctp_disposition sctp_sf_do_5_1B_init(struct net *net,
struct sctp_packet *packet;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -905,6 +910,9 @@ enum sctp_disposition sctp_sf_do_5_1E_ca(struct net *net,
 */
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
 
+   /* Set peer label for connection. */
+   security_inet_conn_established(ep->base.sk, chunk->skb);
+
/* RFC 2960 5.1 Normal Establishment of an Association
 *
 * E) Upon reception of the COOKIE ACK, endpoint "A" will move
@@ -1433,6 +1441,11 @@ static enum sctp_disposition sctp_sf_do_unexpected_init(
struct sctp_packet *packet;
int len;
 
+   /* Update socket peer label if first association. */
+   if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+   chunk->skb))
+   return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
 * An endpoint MUST NOT bundle INIT, INIT ACK or
 * SHUTDOWN COMPLETE with any other chunks.
@@ -2103,6 +2116,11 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
}
}
 
+   /* Update socket peer label if first association. */
+   if