SCTP¶
SCTP LSM Support¶
Security Hooks¶
For security module support, three SCTP specific hooks have been implemented:
security_sctp_assoc_request()security_sctp_bind_connect()security_sctp_sk_clone()
Also the following security hook has been utilised:
security_inet_conn_established()
The usage of these hooks are described below with the SELinux implementationdescribed in theSCTP SELinux Support chapter.
security_sctp_assoc_request()¶
Passes the@ep and@chunk->skb of the association INIT packet to thesecurity module. Returns 0 on success, error on failure.
@ep - pointer to sctp endpoint structure.@skb - pointer to skbuff of association packet.
security_sctp_bind_connect()¶
Passes one or more ipv4/ipv6 addresses to the security module for validationbased on the@optname that will result in either a bind or connectservice as shown in the permission check tables below.Returns 0 on success, error on failure.
@sk - Pointer to sock structure. @optname - Name of the option to validate. @address - One or more ipv4 / ipv6 addresses. @addrlen - The total length of address(s). This is calculated on each ipv4 or ipv6 address using sizeof(struct sockaddr_in) or sizeof(struct sockaddr_in6).------------------------------------------------------------------| BIND Type Checks || @optname | @address contains ||----------------------------|-----------------------------------|| SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses || SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address || SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |------------------------------------------------------------------------------------------------------------------------------------| CONNECT Type Checks || @optname | @address contains ||----------------------------|-----------------------------------|| SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses || SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses || SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address || SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |------------------------------------------------------------------
A summary of the@optname entries is as follows:
SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be associated after (optionally) calling bind(3). sctp_bindx(3) adds a set of bind addresses on a socket.SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple addresses for reaching a peer (multi-homed). sctp_connectx(3) initiates a connection on an SCTP socket using multiple destination addresses.SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a sendmsg(2) or sctp_sendmsg(3) on a new asociation.SCTP_PRIMARY_ADDR - Set local primary address.SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as association primary.SCTP_PARAM_ADD_IP - These are used when Dynamic AddressSCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.
To support Dynamic Address Reconfiguration the following parameters must beenabled on both endpoints (or use the appropriatesetsockopt(2)):
/proc/sys/net/sctp/addip_enable/proc/sys/net/sctp/addip_noauth_enable
then the following_PARAM_’s are sent to the peer in anASCONF chunk when the corresponding@optname’s are present:
@optname ASCONF Parameter ---------- ------------------SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IPSCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY
security_sctp_sk_clone()¶
Called whenever a new socket is created byaccept(2)(i.e. a TCP style socket) or when a socket is ‘peeled off’ e.g userspacecallssctp_peeloff(3).
@ep - pointer to current sctp endpoint structure.@sk - pointer to current sock structure.@sk - pointer to new sock structure.
security_inet_conn_established()¶
Called when a COOKIE ACK is received:
@sk - pointer to sock structure.@skb - pointer to skbuff of the COOKIE ACK packet.
Security Hooks used for Association Establishment¶
The following diagram shows the use ofsecurity_sctp_bind_connect(),security_sctp_assoc_request(),security_inet_conn_established() whenestablishing an association.
SCTP endpoint "A" SCTP endpoint "Z" ================= ================= sctp_sf_do_prm_asoc()Association setup can be initiatedby a connect(2), sctp_connectx(3),sendmsg(2) or sctp_sendmsg(3).These will result in a call tosecurity_sctp_bind_connect() toinitiate an association toSCTP peer endpoint "Z". INIT ---------------------------------------------> sctp_sf_do_5_1B_init() Respond to an INIT chunk. SCTP peer endpoint "A" is asking for an association. Call security_sctp_assoc_request() to set the peer label if first association. If not first association, check whether allowed, IF so send: <----------------------------------------------- INIT ACK | ELSE audit event and silently | discard the packet. | COOKIE ECHO ------------------------------------------> | | | <------------------------------------------- COOKIE ACK | | sctp_sf_do_5_1E_ca |Call security_inet_conn_established() |to set the peer label. | | | | If SCTP_SOCKET_TCP or peeled off | socket security_sctp_sk_clone() is | called to clone the new socket. | | ESTABLISHED ESTABLISHED | | ------------------------------------------------------------------ | Association Established | ------------------------------------------------------------------
SCTP SELinux Support¶
Security Hooks¶
TheSCTP LSM Support chapter above describes the following SCTP securityhooks with the SELinux specifics expanded below:
security_sctp_assoc_request()security_sctp_bind_connect()security_sctp_sk_clone()security_inet_conn_established()
security_sctp_assoc_request()¶
Passes the@ep and@chunk->skb of the association INIT packet to thesecurity module. Returns 0 on success, error on failure.
@ep - pointer to sctp endpoint structure.@skb - pointer to skbuff of association packet.
- The security module performs the following operations:
IF this is the first association on
@ep->base.sk, then set the peersid to that in@skb. This will ensure there is only one peer sidassigned to@ep->base.skthat may support multiple associations.ELSE validate the
@ep->base.skpeer_sidagainst the@skbpeersidto determine whether the association should be allowed or denied.Set the sctp
@epsidto socket’s sid (fromep->base.sk) withMLS portion taken from@skbpeersid. This will be used by SCTPTCP style sockets and peeled off connections as they cause a new socketto be generated.If IP security options are configured (CIPSO/CALIPSO), then the ipoptions are set on the socket.
security_sctp_bind_connect()¶
Checks permissions required for ipv4/ipv6 addresses based on the@optnameas follows:
------------------------------------------------------------------| BIND Permission Checks || @optname | @address contains ||----------------------------|-----------------------------------|| SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses || SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address || SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |------------------------------------------------------------------------------------------------------------------------------------| CONNECT Permission Checks || @optname | @address contains ||----------------------------|-----------------------------------|| SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses || SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses || SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address || SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |------------------------------------------------------------------
SCTP LSM Support gives a summary of the@optnameentries and also describes ASCONF chunk processing when Dynamic AddressReconfiguration is enabled.
security_sctp_sk_clone()¶
Called whenever a new socket is created byaccept(2) (i.e. a TCP stylesocket) or when a socket is ‘peeled off’ e.g userspace callssctp_peeloff(3).security_sctp_sk_clone() will set the newsockets sid and peer sid to that contained in the@epsid and@eppeersid respectively.
@ep - pointer to current sctp endpoint structure.@sk - pointer to current sock structure.@sk - pointer to new sock structure.
security_inet_conn_established()¶
Called when a COOKIE ACK is received where it sets the connection’s peer sidto that in@skb:
@sk - pointer to sock structure.@skb - pointer to skbuff of the COOKIE ACK packet.
Policy Statements¶
The following class and permissions to support SCTP are available within thekernel:
class sctp_socket inherits socket { node_bind }whenever the following policy capability is enabled:
policycap extended_socket_class;
SELinux SCTP support adds thename_connect permission for connectingto a specific port type and theassociation permission that is explainedin the section below.
If userspace tools have been updated, SCTP will support theportconstatement as shown in the following example:
portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
SCTP Peer Labeling¶
An SCTP socket will only have one peer label assigned to it. This will beassigned during the establishment of the first association. Any furtherassociations on this socket will have their packet peer label compared tothe sockets peer label, and only if they are different will theassociation permission be validated. This is validated by checking thesocket peer sid against the received packets peer sid to determine whetherthe association should be allowed or denied.
- NOTES:
If peer labeling is not enabled, then the peer context will always be
SECINITSID_UNLABELED(unlabeled_tin Reference Policy).As SCTP can support more than one transport address per endpoint(multi-homing) on a single socket, it is possible to configure policyand NetLabel to provide different peer labels for each of these. As thesocket peer label is determined by the first associations transportaddress, it is recommended that all peer labels are consistent.
getpeercon(3) may be used by userspace to retrieve the sockets peercontext.
While not SCTP specific, be aware when using NetLabel that if a labelis assigned to a specific interface, and that interface ‘goes down’,then the NetLabel service will remove the entry. Therefore ensure thatthe network startup scripts callnetlabelctl(8) to set the requiredlabel (seenetlabel-config(8) helper script for details).
The NetLabel SCTP peer labeling rules apply as discussed in the followingset of posts tagged “netlabel” at:https://www.paul-moore.com/blog/t.
CIPSO is only supported for IPv4 addressing:
socket(AF_INET,...)CALIPSO is only supported for IPv6 addressing:socket(AF_INET6,...)- Note the following when testing CIPSO/CALIPSO:
- CIPSO will send an ICMP packet if an SCTP packet cannot bedelivered because of an invalid label.
- CALIPSO does not send an ICMP packet, just silently discards it.
IPSEC is not supported as RFC 3554 - sctp/ipsec support has not beenimplemented in userspace (racoon(8) oripsec_pluto(8)),although the kernel supports SCTP/IPSEC.