On Tue, 2017-10-31 at 14:41 -0200, Marcelo Ricardo Leitner wrote:

On Tue, Oct 17, 2017 at 03:02:47PM +0100, Richard Haines wrote:

quoted

The SCTP security hooks are explained in:
Documentation/security/LSM-sctp.txt

Signed-off-by: Richard Haines <redacted>
---
 Documentation/security/LSM-sctp.txt | 212
++++++++++++++++++++++++++++++++++++
 include/linux/lsm_hooks.h           |  37 +++++++
 include/linux/security.h            |  27 +++++
 security/security.c                 |  23 ++++
 4 files changed, 299 insertions(+)
 create mode 100644 Documentation/security/LSM-sctp.txt

diff --git a/Documentation/security/LSM-sctp.txt

b/Documentation/security/LSM-sctp.txt
new file mode 100644
index 0000000..30fe9b5

--- /dev/null
+++ b/Documentation/security/LSM-sctp.txt

@@ -0,0 +1,212 @@
+                               SCTP LSM Support
+                              ==================
+
+For security module support, three sctp specific hooks have been

implemented:
+    security_sctp_assoc_request()
+    security_sctp_bind_connect()
+    security_sctp_sk_clone()
+
+Also the following security hook has been utilised:
+    security_inet_conn_established()
+
+The usage of these hooks are described below with the SELinux
implementation
+described in Documentation/security/SELinux-sctp.txt
+
+
+security_sctp_assoc_request()
+------------------------------
+This new hook has been added to net/sctp/sm_statefuns.c where it
passes the
+ at ep and @chunk->skb (the association INIT or INIT ACK packet) to
the security
+module. Returns 0 on success, error on failure.
+
+    @ep - pointer to sctp endpoint structure.
+    @skb - pointer to skbuff of association packet.
+    @sctp_cid - set to sctp packet type (SCTP_CID_INIT or
SCTP_CID_INIT_ACK).
+
+The security module performs the following operations:
+  1) If this is the first association on @ep->base.sk, then set
the peer sid
+     to that in @skb. This will ensure there is only one peer sid
assigned
+     to @ep->base.sk that may support multiple associations.
+
+  2) If not the first association, validate the @ep->base.sk
peer_sid against
+     the @skb peer sid to determine whether the association should
be allowed
+     or denied.
+
+  3) If @sctp_cid = SCTP_CID_INIT, then set the sctp @ep sid to
socket's sid
+     (from ep->base.sk) with MLS portion taken from @skb peer sid.
This will
+     only be used by SCTP TCP style sockets and peeled off
connections as they
+     cause a new socket to be generated.
+
+     If IP security options are configured (CIPSO/CALIPSO), then
the ip options
+     are set on the socket.
+
+     To support this hook include/net/sctp/structs.h "struct
sctp_endpoint"
+     has been updated with the following:
+
+	/* Security identifiers from incoming (INIT). These are
set by
+	 * security_sctp_assoc_request(). These will only be used
by
+	 * SCTP TCP type sockets and peeled off connections as
they
+	 * cause a new socket to be generated.
security_sctp_sk_clone()
+	 * will then plug these into the new socket.
+	 */
+	u32 secid;
+	u32 peer_secid;
+
+
+security_sctp_bind_connect()
+-----------------------------
+This new hook has been added to net/sctp/socket.c and
net/sctp/sm_make_chunk.c.
+It passes one or more ipv4/ipv6 addresses to the security module
for
+validation based on the @optname that will result in either a bind
or connect
+service as shown in the permission check tables below.
+Returns 0 on success, error on failure.
+
+    @sk      - Pointer to sock structure.
+    @optname - Name of the option to validate.
+    @address - One or more ipv4 / ipv6 addresses.
+    @addrlen - The total length of address(s). This is calculated
on each
+               ipv4 or ipv6 address using sizeof(struct
sockaddr_in) or
+               sizeof(struct sockaddr_in6).
+
+  --------------------------------------------------------------
----
+  |                     BIND Type
Checks                           |
+  |       @optname             |         @address
contains         |
+  |----------------------------|--------------------------------
---|
+  | SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses
|
+  | SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6
address       |
+  | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6
address       |
+  --------------------------------------------------------------
----
+
+  --------------------------------------------------------------
----
+  |                   CONNECT Type
Checks                          |
+  |       @optname             |         @address
contains         |
+  |----------------------------|--------------------------------
---|
+  | SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses
|
+  | SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses
|
+  | SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6
address       |
+  | SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6
address       |
+  --------------------------------------------------------------
----
+
+A summary of the @optname entries is as follows:
+
+    SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to
be
+                             associated after (optionally) calling
+                             bind(3).
+                             sctp_bindx(3) adds a set of bind
+	                     addresses on a socket.

Nit, indentation issue above.

The nit has been squashed
Thanks for all your comments

--
To unsubscribe from this list: send the line "unsubscribe linux-
security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html