summaryrefslogtreecommitdiff
path: root/Documentation/security/SELinux-sctp.rst
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/security/SELinux-sctp.rst')
-rw-r--r--Documentation/security/SELinux-sctp.rst158
1 files changed, 0 insertions, 158 deletions
diff --git a/Documentation/security/SELinux-sctp.rst b/Documentation/security/SELinux-sctp.rst
deleted file mode 100644
index a332cb1c5334..000000000000
--- a/Documentation/security/SELinux-sctp.rst
+++ /dev/null
@@ -1,158 +0,0 @@
-SCTP SELinux Support
-=====================
-
-Security Hooks
-===============
-
-``Documentation/security/LSM-sctp.rst`` describes the following SCTP security
-hooks with the SELinux specifics expanded below::
-
- security_sctp_assoc_request()
- security_sctp_bind_connect()
- security_sctp_sk_clone()
- security_inet_conn_established()
-
-
-security_sctp_assoc_request()
------------------------------
-Passes the ``@ep`` and ``@chunk->skb`` of the association INIT packet to the
-security module. Returns 0 on success, error on failure.
-::
-
- @ep - pointer to sctp endpoint structure.
- @skb - pointer to skbuff of association packet.
-
-The security module performs the following operations:
- IF this is the first association on ``@ep->base.sk``, then set the peer
- sid to that in ``@skb``. This will ensure there is only one peer sid
- assigned to ``@ep->base.sk`` that may support multiple associations.
-
- ELSE validate the ``@ep->base.sk peer_sid`` against the ``@skb peer sid``
- to determine whether the association should be allowed or denied.
-
- Set the sctp ``@ep sid`` to socket's sid (from ``ep->base.sk``) with
- MLS portion taken from ``@skb peer sid``. This will be used by SCTP
- TCP style sockets and peeled off connections as they cause a new socket
- to be generated.
-
- If IP security options are configured (CIPSO/CALIPSO), then the ip
- options are set on the socket.
-
-
-security_sctp_bind_connect()
------------------------------
-Checks permissions required for ipv4/ipv6 addresses based on the ``@optname``
-as follows::
-
- ------------------------------------------------------------------
- | BIND Permission Checks |
- | @optname | @address contains |
- |----------------------------|-----------------------------------|
- | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses |
- | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address |
- | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address |
- ------------------------------------------------------------------
-
- ------------------------------------------------------------------
- | CONNECT Permission Checks |
- | @optname | @address contains |
- |----------------------------|-----------------------------------|
- | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses |
- | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses |
- | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address |
- | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address |
- ------------------------------------------------------------------
-
-
-``Documentation/security/LSM-sctp.rst`` gives a summary of the ``@optname``
-entries and also describes ASCONF chunk processing when Dynamic Address
-Reconfiguration is enabled.
-
-
-security_sctp_sk_clone()
--------------------------
-Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
-socket) or when a socket is 'peeled off' e.g userspace calls
-**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
-sockets sid and peer sid to that contained in the ``@ep sid`` and
-``@ep peer sid`` respectively.
-::
-
- @ep - pointer to current sctp endpoint structure.
- @sk - pointer to current sock structure.
- @sk - pointer to new sock structure.
-
-
-security_inet_conn_established()
----------------------------------
-Called when a COOKIE ACK is received where it sets the connection's peer sid
-to that in ``@skb``::
-
- @sk - pointer to sock structure.
- @skb - pointer to skbuff of the COOKIE ACK packet.
-
-
-Policy Statements
-==================
-The following class and permissions to support SCTP are available within the
-kernel::
-
- class sctp_socket inherits socket { node_bind }
-
-whenever the following policy capability is enabled::
-
- policycap extended_socket_class;
-
-SELinux SCTP support adds the ``name_connect`` permission for connecting
-to a specific port type and the ``association`` permission that is explained
-in the section below.
-
-If userspace tools have been updated, SCTP will support the ``portcon``
-statement as shown in the following example::
-
- portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0
-
-
-SCTP Peer Labeling
-===================
-An SCTP socket will only have one peer label assigned to it. This will be
-assigned during the establishment of the first association. Any further
-associations on this socket will have their packet peer label compared to
-the sockets peer label, and only if they are different will the
-``association`` permission be validated. This is validated by checking the
-socket peer sid against the received packets peer sid to determine whether
-the association should be allowed or denied.
-
-NOTES:
- 1) If peer labeling is not enabled, then the peer context will always be
- ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
-
- 2) As SCTP can support more than one transport address per endpoint
- (multi-homing) on a single socket, it is possible to configure policy
- and NetLabel to provide different peer labels for each of these. As the
- socket peer label is determined by the first associations transport
- address, it is recommended that all peer labels are consistent.
-
- 3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
- context.
-
- 4) While not SCTP specific, be aware when using NetLabel that if a label
- is assigned to a specific interface, and that interface 'goes down',
- then the NetLabel service will remove the entry. Therefore ensure that
- the network startup scripts call **netlabelctl**\(8) to set the required
- label (see **netlabel-config**\(8) helper script for details).
-
- 5) The NetLabel SCTP peer labeling rules apply as discussed in the following
- set of posts tagged "netlabel" at: http://www.paul-moore.com/blog/t.
-
- 6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
- CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``
-
- Note the following when testing CIPSO/CALIPSO:
- a) CIPSO will send an ICMP packet if an SCTP packet cannot be
- delivered because of an invalid label.
- b) CALIPSO does not send an ICMP packet, just silently discards it.
-
- 7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
- implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
- although the kernel supports SCTP/IPSEC.