€•~Ö      Œsphinx.addnodes”Œdocument”“”)”}”(Œ	rawsource”Œ ”Œchildren”]”(Œtranslations”ŒLanguagesNode”“”)”}”(hhh]”(h Œpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ
attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ	refdomain”Œstd”Œreftype”Œdoc”Œ	reftarget”Œ!/translations/zh_CN/security/SCTP”Œmodname”NŒ	classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ!/translations/zh_TW/security/SCTP”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ!/translations/it_IT/security/SCTP”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ!/translations/ja_JP/security/SCTP”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ!/translations/ko_KR/security/SCTP”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ!/translations/pt_BR/security/SCTP”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ	refdomain”h)Œreftype”h+Œ	reftarget”Œ!/translations/sp_SP/security/SCTP”Œmodname”NŒ	classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h
hhŒ	_document”hŒsource”NŒline”NubhŒcomment”“”)”}”(hŒ SPDX-License-Identifier: GPL-2.0”h]”hŒ SPDX-License-Identifier: GPL-2.0”…””}”hh·sbah}”(h]”h ]”h"]”h$]”h&]”Œ	xml:space”Œpreserve”uh1hµhhh²hh³Œ;/var/lib/git/docbuild/linux/Documentation/security/SCTP.rst”h´KubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒSCTP”h]”hŒSCTP”…””}”(hhÏh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÊh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒSCTP LSM Support”h]”hŒSCTP LSM Support”…””}”(hhàh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhÝh²hh³hÇh´KubhÉ)”}”(hhh]”(hÎ)”}”(hŒSecurity Hooks”h]”hŒSecurity Hooks”…””}”(hhñh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhhîh²hh³hÇh´KubhŒ	paragraph”“”)”}”(hŒNFor security module support, three SCTP specific hooks have been implemented::”h]”hŒMFor security module support, three SCTP specific hooks have been implemented:”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´Khhîh²hubhŒliteral_block”“”)”}”(hŒusecurity_sctp_assoc_request()
security_sctp_bind_connect()
security_sctp_sk_clone()
security_sctp_assoc_established()”h]”hŒusecurity_sctp_assoc_request()
security_sctp_bind_connect()
security_sctp_sk_clone()
security_sctp_assoc_established()”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´Khhîh²hubj   )”}”(hŒ~The usage of these hooks are described below with the SELinux implementation
described in the `SCTP SELinux Support`_ chapter.”h]”(hŒ^The usage of these hooks are described below with the SELinux implementation
described in the ”…””}”(hj  h²hh³Nh´NubhŒ	reference”“”)”}”(hŒ`SCTP SELinux Support`_”h]”hŒSCTP SELinux Support”…””}”(hj)  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒSCTP SELinux Support”Œrefid”Œsctp-selinux-support”uh1j'  hj  Œresolved”KubhŒ	 chapter.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´Khhîh²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒsecurity_sctp_assoc_request()”h]”hŒsecurity_sctp_assoc_request()”…””}”(hjI  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjF  h²hh³hÇh´Kubj   )”}”(hŒŠPasses the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the
security module. Returns 0 on success, error on failure.
::”h]”(hŒPasses the ”…””}”(hjW  h²hh³Nh´NubhŒliteral”“”)”}”(hŒ	``@asoc``”h]”hŒ@asoc”…””}”(hja  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjW  ubhŒ and ”…””}”(hjW  h²hh³Nh´Nubj`  )”}”(hŒ``@chunk->skb``”h]”hŒ@chunk->skb”…””}”(hjs  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjW  ubhŒ_ of the association INIT packet to the
security module. Returns 0 on success, error on failure.”…””}”(hjW  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KhjF  h²hubj  )”}”(hŒ^@asoc - pointer to sctp association structure.
@skb - pointer to skbuff of association packet.”h]”hŒ^@asoc - pointer to sctp association structure.
@skb - pointer to skbuff of association packet.”…””}”hj‹  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´KhjF  h²hubeh}”(h]”Œsecurity-sctp-assoc-request”ah ]”h"]”h$]”Œsecurity_sctp_assoc_request()”ah&]”uh1hÈhhîh²hh³hÇh´KŒ
referenced”KubhÉ)”}”(hhh]”(hÎ)”}”(hŒsecurity_sctp_bind_connect()”h]”hŒsecurity_sctp_bind_connect()”…””}”(hj¥  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj¢  h²hh³hÇh´K#ubj   )”}”(hŒõPasses one or more ipv4/ipv6 addresses to the security module for validation
based on the ``@optname`` that will result in either a bind or connect
service as shown in the permission check tables below.
Returns 0 on success, error on failure.
::”h]”(hŒZPasses one or more ipv4/ipv6 addresses to the security module for validation
based on the ”…””}”(hj³  h²hh³Nh´Nubj`  )”}”(hŒ``@optname``”h]”hŒ@optname”…””}”(hj»  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj³  ubhŒŒ that will result in either a bind or connect
service as shown in the permission check tables below.
Returns 0 on success, error on failure.”…””}”(hj³  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´K$hj¢  h²hubj  )”}”(hX±    @sk      - Pointer to sock structure.
  @optname - Name of the option to validate.
  @address - One or more ipv4 / ipv6 addresses.
  @addrlen - The total length of address(s). This is calculated on each
             ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
             sizeof(struct sockaddr_in6).

------------------------------------------------------------------
|                     BIND Type Checks                           |
|       @optname             |         @address contains         |
|----------------------------|-----------------------------------|
| SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
| SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
| SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
------------------------------------------------------------------

------------------------------------------------------------------
|                   CONNECT Type Checks                          |
|       @optname             |         @address contains         |
|----------------------------|-----------------------------------|
| SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
| SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
| SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
| SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
------------------------------------------------------------------”h]”hX±    @sk      - Pointer to sock structure.
  @optname - Name of the option to validate.
  @address - One or more ipv4 / ipv6 addresses.
  @addrlen - The total length of address(s). This is calculated on each
             ipv4 or ipv6 address using sizeof(struct sockaddr_in) or
             sizeof(struct sockaddr_in6).

------------------------------------------------------------------
|                     BIND Type Checks                           |
|       @optname             |         @address contains         |
|----------------------------|-----------------------------------|
| SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
| SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
| SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
------------------------------------------------------------------

------------------------------------------------------------------
|                   CONNECT Type Checks                          |
|       @optname             |         @address contains         |
|----------------------------|-----------------------------------|
| SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
| SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
| SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
| SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
------------------------------------------------------------------”…””}”hjÓ  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´K*hj¢  h²hubj   )”}”(hŒ5A summary of the ``@optname`` entries is as follows::”h]”(hŒA summary of the ”…””}”(hjá  h²hh³Nh´Nubj`  )”}”(hŒ``@optname``”h]”hŒ@optname”…””}”(hjé  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjá  ubhŒ entries is as follows:”…””}”(hjá  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KDhj¢  h²hubj  )”}”(hX  SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
                         associated after (optionally) calling
                         bind(3).
                         sctp_bindx(3) adds a set of bind
                         addresses on a socket.

SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
                        addresses for reaching a peer
                        (multi-homed).
                        sctp_connectx(3) initiates a connection
                        on an SCTP socket using multiple
                        destination addresses.

SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
                        sendmsg(2) or sctp_sendmsg(3) on a new association.

SCTP_PRIMARY_ADDR     - Set local primary address.

SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
                             association primary.

SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.”h]”hX  SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be
                         associated after (optionally) calling
                         bind(3).
                         sctp_bindx(3) adds a set of bind
                         addresses on a socket.

SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple
                        addresses for reaching a peer
                        (multi-homed).
                        sctp_connectx(3) initiates a connection
                        on an SCTP socket using multiple
                        destination addresses.

SCTP_SENDMSG_CONNECT  - Initiate a connection that is generated by a
                        sendmsg(2) or sctp_sendmsg(3) on a new association.

SCTP_PRIMARY_ADDR     - Set local primary address.

SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as
                             association primary.

SCTP_PARAM_ADD_IP          - These are used when Dynamic Address
SCTP_PARAM_SET_PRIMARY     - Reconfiguration is enabled as explained below.”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´KFhj¢  h²hubj   )”}”(hŒ“To support Dynamic Address Reconfiguration the following parameters must be
enabled on both endpoints (or use the appropriate **setsockopt**\(2))::”h]”(hŒ~To support Dynamic Address Reconfiguration the following parameters must be
enabled on both endpoints (or use the appropriate ”…””}”(hj  h²hh³Nh´NubhŒstrong”“”)”}”(hŒ**setsockopt**”h]”hŒ
setsockopt”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ (2)):”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´K_hj¢  h²hubj  )”}”(hŒF/proc/sys/net/sctp/addip_enable
/proc/sys/net/sctp/addip_noauth_enable”h]”hŒF/proc/sys/net/sctp/addip_enable
/proc/sys/net/sctp/addip_noauth_enable”…””}”hj1  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´Kbhj¢  h²hubj   )”}”(hŒzthen the following *_PARAM_*'s are sent to the peer in an
ASCONF chunk when the corresponding ``@optname``'s are present::”h]”(hŒthen the following ”…””}”(hj?  h²hh³Nh´NubhŒemphasis”“”)”}”(hŒ	*_PARAM_*”h]”hŒ_PARAM_”…””}”(hjI  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jG  hj?  ubhŒDâ€™s are sent to the peer in an
ASCONF chunk when the corresponding ”…””}”(hj?  h²hh³Nh´Nubj`  )”}”(hŒ``@optname``”h]”hŒ@optname”…””}”(hj[  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj?  ubhŒâ€™s are present:”…””}”(hj?  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´Kehj¢  h²hubj  )”}”(hŒÓ      @optname                      ASCONF Parameter
     ----------                    ------------------
SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY”h]”hŒÓ      @optname                      ASCONF Parameter
     ----------                    ------------------
SCTP_SOCKOPT_BINDX_ADD     ->   SCTP_PARAM_ADD_IP
SCTP_SET_PEER_PRIMARY_ADDR ->   SCTP_PARAM_SET_PRIMARY”…””}”hjs  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´Khhj¢  h²hubeh}”(h]”Œsecurity-sctp-bind-connect”ah ]”h"]”h$]”Œsecurity_sctp_bind_connect()”ah&]”uh1hÈhhîh²hh³hÇh´K#j¡  KubhÉ)”}”(hhh]”(hÎ)”}”(hŒsecurity_sctp_sk_clone()”h]”hŒsecurity_sctp_sk_clone()”…””}”(hjŒ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj‰  h²hh³hÇh´Koubj   )”}”(hŒ¡Called whenever a new socket is created by **accept**\(2)
(i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace
calls **sctp_peeloff**\(3).
::”h]”(hŒ+Called whenever a new socket is created by ”…””}”(hjš  h²hh³Nh´Nubj  )”}”(hŒ
**accept**”h]”hŒaccept”…””}”(hj¢  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjš  ubhŒX (2)
(i.e. a TCP style socket) or when a socket is â€˜peeled offâ€™ e.g userspace
calls ”…””}”(hjš  h²hh³Nh´Nubj  )”}”(hŒ**sctp_peeloff**”h]”hŒsctp_peeloff”…””}”(hj´  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjš  ubhŒ (3).”…””}”(hjš  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´Kphj‰  h²hubj  )”}”(hŒ‡@asoc - pointer to current sctp association structure.
@sk - pointer to current sock structure.
@newsk - pointer to new sock structure.”h]”hŒ‡@asoc - pointer to current sctp association structure.
@sk - pointer to current sock structure.
@newsk - pointer to new sock structure.”…””}”hjÌ  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´Kuhj‰  h²hubeh}”(h]”Œsecurity-sctp-sk-clone”ah ]”h"]”h$]”Œsecurity_sctp_sk_clone()”ah&]”uh1hÈhhîh²hh³hÇh´Koj¡  KubhÉ)”}”(hhh]”(hÎ)”}”(hŒ!security_sctp_assoc_established()”h]”hŒ!security_sctp_assoc_established()”…””}”(hjå  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjâ  h²hh³hÇh´K{ubj   )”}”(hŒnCalled when a COOKIE ACK is received, and the peer secid will be
saved into ``@asoc->peer_secid`` for client::”h]”(hŒLCalled when a COOKIE ACK is received, and the peer secid will be
saved into ”…””}”(hjó  h²hh³Nh´Nubj`  )”}”(hŒ``@asoc->peer_secid``”h]”hŒ@asoc->peer_secid”…””}”(hjû  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjó  ubhŒ for client:”…””}”(hjó  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´K|hjâ  h²hubj  )”}”(hŒa@asoc - pointer to sctp association structure.
@skb - pointer to skbuff of the COOKIE ACK packet.”h]”hŒa@asoc - pointer to sctp association structure.
@skb - pointer to skbuff of the COOKIE ACK packet.”…””}”hj  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´Khjâ  h²hubeh}”(h]”Œsecurity-sctp-assoc-established”ah ]”h"]”h$]”Œ!security_sctp_assoc_established()”ah&]”uh1hÈhhîh²hh³hÇh´K{j¡  Kubeh}”(h]”Œsecurity-hooks”ah ]”h"]”h$]”Œsecurity hooks”ah&]”uh1hÈhhÝh²hh³hÇh´Kj¡  KubhÉ)”}”(hhh]”(hÎ)”}”(hŒ1Security Hooks used for Association Establishment”h]”hŒ1Security Hooks used for Association Establishment”…””}”(hj4  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj1  h²hh³hÇh´K„ubj   )”}”(hŒ¶The following diagram shows the use of ``security_sctp_bind_connect()``,
``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when
establishing an association.
::”h]”(hŒ'The following diagram shows the use of ”…””}”(hjB  h²hh³Nh´Nubj`  )”}”(hŒ ``security_sctp_bind_connect()``”h]”hŒsecurity_sctp_bind_connect()”…””}”(hjJ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjB  ubhŒ,
”…””}”(hjB  h²hh³Nh´Nubj`  )”}”(hŒ!``security_sctp_assoc_request()``”h]”hŒsecurity_sctp_assoc_request()”…””}”(hj\  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjB  ubhŒ, ”…””}”(hjB  h²hh³Nh´Nubj`  )”}”(hŒ%``security_sctp_assoc_established()``”h]”hŒ!security_sctp_assoc_established()”…””}”(hjn  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjB  ubhŒ" when
establishing an association.”…””}”(hjB  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´K†hj1  h²hubj  )”}”(hXû
       SCTP endpoint "A"                                SCTP endpoint "Z"
     =================                                =================
   sctp_sf_do_prm_asoc()
Association setup can be initiated
by a connect(2), sctp_connectx(3),
sendmsg(2) or sctp_sendmsg(3).
These will result in a call to
security_sctp_bind_connect() to
initiate an association to
SCTP peer endpoint "Z".
        INIT --------------------------------------------->
                                                  sctp_sf_do_5_1B_init()
                                                Respond to an INIT chunk.
                                            SCTP peer endpoint "A" is asking
                                            for a temporary association.
                                            Call security_sctp_assoc_request()
                                            to set the peer label if first
                                            association.
                                            If not first association, check
                                            whether allowed, IF so send:
         <----------------------------------------------- INIT ACK
         |                                  ELSE audit event and silently
         |                                       discard the packet.
         |
   COOKIE ECHO ------------------------------------------>
                                                 sctp_sf_do_5_1D_ce()
                                            Respond to an COOKIE ECHO chunk.
                                            Confirm the cookie and create a
                                            permanent association.
                                            Call security_sctp_assoc_request() to
                                            do the same as for INIT chunk Response.
         <------------------------------------------- COOKIE ACK
         |                                               |
   sctp_sf_do_5_1E_ca                                    |
Call security_sctp_assoc_established()                   |
to set the peer label.                                   |
         |                                               |
         |                               If SCTP_SOCKET_TCP or peeled off
         |                               socket security_sctp_sk_clone() is
         |                               called to clone the new socket.
         |                                               |
     ESTABLISHED                                    ESTABLISHED
         |                                               |
   ------------------------------------------------------------------
   |                     Association Established                    |
   ------------------------------------------------------------------”h]”hXû
       SCTP endpoint "A"                                SCTP endpoint "Z"
     =================                                =================
   sctp_sf_do_prm_asoc()
Association setup can be initiated
by a connect(2), sctp_connectx(3),
sendmsg(2) or sctp_sendmsg(3).
These will result in a call to
security_sctp_bind_connect() to
initiate an association to
SCTP peer endpoint "Z".
        INIT --------------------------------------------->
                                                  sctp_sf_do_5_1B_init()
                                                Respond to an INIT chunk.
                                            SCTP peer endpoint "A" is asking
                                            for a temporary association.
                                            Call security_sctp_assoc_request()
                                            to set the peer label if first
                                            association.
                                            If not first association, check
                                            whether allowed, IF so send:
         <----------------------------------------------- INIT ACK
         |                                  ELSE audit event and silently
         |                                       discard the packet.
         |
   COOKIE ECHO ------------------------------------------>
                                                 sctp_sf_do_5_1D_ce()
                                            Respond to an COOKIE ECHO chunk.
                                            Confirm the cookie and create a
                                            permanent association.
                                            Call security_sctp_assoc_request() to
                                            do the same as for INIT chunk Response.
         <------------------------------------------- COOKIE ACK
         |                                               |
   sctp_sf_do_5_1E_ca                                    |
Call security_sctp_assoc_established()                   |
to set the peer label.                                   |
         |                                               |
         |                               If SCTP_SOCKET_TCP or peeled off
         |                               socket security_sctp_sk_clone() is
         |                               called to clone the new socket.
         |                                               |
     ESTABLISHED                                    ESTABLISHED
         |                                               |
   ------------------------------------------------------------------
   |                     Association Established                    |
   ------------------------------------------------------------------”…””}”hj†  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´K‹hj1  h²hubeh}”(h]”Œ1security-hooks-used-for-association-establishment”ah ]”h"]”Œ1security hooks used for association establishment”ah$]”h&]”uh1hÈhhÝh²hh³hÇh´K„ubeh}”(h]”Œsctp-lsm-support”ah ]”h"]”Œsctp lsm support”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´Kj¡  KubhÉ)”}”(hhh]”(hÎ)”}”(hŒSCTP SELinux Support”h]”hŒSCTP SELinux Support”…””}”(hj§  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj¤  h²hh³hÇh´K¼ubhÉ)”}”(hhh]”(hÎ)”}”(hŒSecurity Hooks”h]”hŒSecurity Hooks”…””}”(hj¸  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjµ  h²hh³hÇh´K¿ubj   )”}”(hŒ}The `SCTP LSM Support`_ chapter above describes the following SCTP security
hooks with the SELinux specifics expanded below::”h]”(hŒThe ”…””}”(hjÆ  h²hh³Nh´Nubj(  )”}”(hŒ`SCTP LSM Support`_”h]”hŒSCTP LSM Support”…””}”(hjÎ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒSCTP LSM Support”j9  jž  uh1j'  hjÆ  j;  KubhŒe chapter above describes the following SCTP security
hooks with the SELinux specifics expanded below:”…””}”(hjÆ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KÁhjµ  h²hubj  )”}”(hŒusecurity_sctp_assoc_request()
security_sctp_bind_connect()
security_sctp_sk_clone()
security_sctp_assoc_established()”h]”hŒusecurity_sctp_assoc_request()
security_sctp_bind_connect()
security_sctp_sk_clone()
security_sctp_assoc_established()”…””}”hjè  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´KÄhjµ  h²hubhÉ)”}”(hhh]”(hÎ)”}”(hŒsecurity_sctp_assoc_request()”h]”hŒsecurity_sctp_assoc_request()”…””}”(hjù  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjö  h²hh³hÇh´KËubj   )”}”(hŒŠPasses the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the
security module. Returns 0 on success, error on failure.
::”h]”(hŒPasses the ”…””}”(hj  h²hh³Nh´Nubj`  )”}”(hŒ	``@asoc``”h]”hŒ@asoc”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubhŒ and ”…””}”(hj  h²hh³Nh´Nubj`  )”}”(hŒ``@chunk->skb``”h]”hŒ@chunk->skb”…””}”(hj!  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubhŒ_ of the association INIT packet to the
security module. Returns 0 on success, error on failure.”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KÌhjö  h²hubj  )”}”(hŒ^@asoc - pointer to sctp association structure.
@skb - pointer to skbuff of association packet.”h]”hŒ^@asoc - pointer to sctp association structure.
@skb - pointer to skbuff of association packet.”…””}”hj9  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´KÐhjö  h²hubhŒdefinition_list”“”)”}”(hhh]”hŒdefinition_list_item”“”)”}”(hXç  The security module performs the following operations:
IF this is the first association on ``@asoc->base.sk``, then set the peer
sid to that in ``@skb``. This will ensure there is only one peer sid
assigned to ``@asoc->base.sk`` that may support multiple associations.

ELSE validate the ``@asoc->base.sk peer_sid`` against the ``@skb peer sid``
to determine whether the association should be allowed or denied.

Set the sctp ``@asoc sid`` to socket's sid (from ``asoc->base.sk``) with
MLS portion taken from ``@skb peer sid``. This will be used by SCTP
TCP style sockets and peeled off connections as they cause a new socket
to be generated.

If IP security options are configured (CIPSO/CALIPSO), then the ip
options are set on the socket.

”h]”(hŒterm”“”)”}”(hŒ6The security module performs the following operations:”h]”hŒ6The security module performs the following operations:”…””}”(hjT  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jR  h³hÇh´KâhjN  ubhŒ
definition”“”)”}”(hhh]”(j   )”}”(hŒÕIF this is the first association on ``@asoc->base.sk``, then set the peer
sid to that in ``@skb``. This will ensure there is only one peer sid
assigned to ``@asoc->base.sk`` that may support multiple associations.”h]”(hŒ$IF this is the first association on ”…””}”(hjg  h²hh³Nh´Nubj`  )”}”(hŒ``@asoc->base.sk``”h]”hŒ@asoc->base.sk”…””}”(hjo  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjg  ubhŒ#, then set the peer
sid to that in ”…””}”(hjg  h²hh³Nh´Nubj`  )”}”(hŒ``@skb``”h]”hŒ@skb”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjg  ubhŒ:. This will ensure there is only one peer sid
assigned to ”…””}”(hjg  h²hh³Nh´Nubj`  )”}”(hŒ``@asoc->base.sk``”h]”hŒ@asoc->base.sk”…””}”(hj“  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjg  ubhŒ( that may support multiple associations.”…””}”(hjg  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KÔhjd  ubj   )”}”(hŒELSE validate the ``@asoc->base.sk peer_sid`` against the ``@skb peer sid``
to determine whether the association should be allowed or denied.”h]”(hŒELSE validate the ”…””}”(hj«  h²hh³Nh´Nubj`  )”}”(hŒ``@asoc->base.sk peer_sid``”h]”hŒ@asoc->base.sk peer_sid”…””}”(hj³  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj«  ubhŒ against the ”…””}”(hj«  h²hh³Nh´Nubj`  )”}”(hŒ``@skb peer sid``”h]”hŒ@skb peer sid”…””}”(hjÅ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj«  ubhŒB
to determine whether the association should be allowed or denied.”…””}”(hj«  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KØhjd  ubj   )”}”(hŒåSet the sctp ``@asoc sid`` to socket's sid (from ``asoc->base.sk``) with
MLS portion taken from ``@skb peer sid``. This will be used by SCTP
TCP style sockets and peeled off connections as they cause a new socket
to be generated.”h]”(hŒSet the sctp ”…””}”(hjÝ  h²hh³Nh´Nubj`  )”}”(hŒ``@asoc sid``”h]”hŒ	@asoc sid”…””}”(hjå  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÝ  ubhŒ to socketâ€™s sid (from ”…””}”(hjÝ  h²hh³Nh´Nubj`  )”}”(hŒ``asoc->base.sk``”h]”hŒasoc->base.sk”…””}”(hj÷  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÝ  ubhŒ) with
MLS portion taken from ”…””}”(hjÝ  h²hh³Nh´Nubj`  )”}”(hŒ``@skb peer sid``”h]”hŒ@skb peer sid”…””}”(hj	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÝ  ubhŒt. This will be used by SCTP
TCP style sockets and peeled off connections as they cause a new socket
to be generated.”…””}”(hjÝ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KÛhjd  ubj   )”}”(hŒaIf IP security options are configured (CIPSO/CALIPSO), then the ip
options are set on the socket.”h]”hŒaIf IP security options are configured (CIPSO/CALIPSO), then the ip
options are set on the socket.”…””}”(hj!  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´Kàhjd  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jb  hjN  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jL  h³hÇh´KâhjI  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jG  hjö  h²hh³hÇh´Nubeh}”(h]”Œid2”ah ]”h"]”h$]”jŸ  ah&]”uh1hÈhjµ  h²hh³hÇh´KËj¡  KubhÉ)”}”(hhh]”(hÎ)”}”(hŒsecurity_sctp_bind_connect()”h]”hŒsecurity_sctp_bind_connect()”…””}”(hjK  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjH  h²hh³hÇh´Kåubj   )”}”(hŒZChecks permissions required for ipv4/ipv6 addresses based on the ``@optname``
as follows::”h]”(hŒAChecks permissions required for ipv4/ipv6 addresses based on the ”…””}”(hjY  h²hh³Nh´Nubj`  )”}”(hŒ``@optname``”h]”hŒ@optname”…””}”(hja  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjY  ubhŒ
as follows:”…””}”(hjY  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KæhjH  h²hubj  )”}”(hXs  ------------------------------------------------------------------
|                   BIND Permission Checks                       |
|       @optname             |         @address contains         |
|----------------------------|-----------------------------------|
| SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
| SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
| SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
------------------------------------------------------------------

------------------------------------------------------------------
|                 CONNECT Permission Checks                      |
|       @optname             |         @address contains         |
|----------------------------|-----------------------------------|
| SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
| SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
| SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
| SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
------------------------------------------------------------------”h]”hXs  ------------------------------------------------------------------
|                   BIND Permission Checks                       |
|       @optname             |         @address contains         |
|----------------------------|-----------------------------------|
| SCTP_SOCKOPT_BINDX_ADD     | One or more ipv4 / ipv6 addresses |
| SCTP_PRIMARY_ADDR          | Single ipv4 or ipv6 address       |
| SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address       |
------------------------------------------------------------------

------------------------------------------------------------------
|                 CONNECT Permission Checks                      |
|       @optname             |         @address contains         |
|----------------------------|-----------------------------------|
| SCTP_SOCKOPT_CONNECTX      | One or more ipv4 / ipv6 addresses |
| SCTP_PARAM_ADD_IP          | One or more ipv4 / ipv6 addresses |
| SCTP_SENDMSG_CONNECT       | Single ipv4 or ipv6 address       |
| SCTP_PARAM_SET_PRIMARY     | Single ipv4 or ipv6 address       |
------------------------------------------------------------------”…””}”hjy  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´KéhjH  h²hubj   )”}”(hŒ›`SCTP LSM Support`_ gives a summary of the ``@optname``
entries and also describes ASCONF chunk processing when Dynamic Address
Reconfiguration is enabled.”h]”(j(  )”}”(hŒ`SCTP LSM Support`_”h]”hŒSCTP LSM Support”…””}”(hj‹  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒSCTP LSM Support”j9  jž  uh1j'  hj‡  j;  KubhŒ gives a summary of the ”…””}”(hj‡  h²hh³Nh´Nubj`  )”}”(hŒ``@optname``”h]”hŒ@optname”…””}”(hjŸ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj‡  ubhŒd
entries and also describes ASCONF chunk processing when Dynamic Address
Reconfiguration is enabled.”…””}”(hj‡  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´KýhjH  h²hubeh}”(h]”Œid3”ah ]”h"]”h$]”j‡  ah&]”uh1hÈhjµ  h²hh³hÇh´Kåj¡  KubhÉ)”}”(hhh]”(hÎ)”}”(hŒsecurity_sctp_sk_clone()”h]”hŒsecurity_sctp_sk_clone()”…””}”(hjÁ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj¾  h²hh³hÇh´Mubj   )”}”(hX4  Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style
socket) or when a socket is 'peeled off' e.g userspace calls
**sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new
sockets sid and peer sid to that contained in the ``@asoc sid`` and
``@asoc peer sid`` respectively.
::”h]”(hŒ+Called whenever a new socket is created by ”…””}”(hjÏ  h²hh³Nh´Nubj  )”}”(hŒ
**accept**”h]”hŒaccept”…””}”(hj×  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÏ  ubhŒX (2) (i.e. a TCP style
socket) or when a socket is â€˜peeled offâ€™ e.g userspace calls
”…””}”(hjÏ  h²hh³Nh´Nubj  )”}”(hŒ**sctp_peeloff**”h]”hŒsctp_peeloff”…””}”(hjé  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjÏ  ubhŒ (3). ”…””}”(hjÏ  h²hh³Nh´Nubj`  )”}”(hŒ``security_sctp_sk_clone()``”h]”hŒsecurity_sctp_sk_clone()”…””}”(hjû  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÏ  ubhŒD will set the new
sockets sid and peer sid to that contained in the ”…””}”(hjÏ  h²hh³Nh´Nubj`  )”}”(hŒ``@asoc sid``”h]”hŒ	@asoc sid”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÏ  ubhŒ and
”…””}”(hjÏ  h²hh³Nh´Nubj`  )”}”(hŒ``@asoc peer sid``”h]”hŒ@asoc peer sid”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjÏ  ubhŒ respectively.”…””}”(hjÏ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´Mhj¾  h²hubj  )”}”(hŒ‡@asoc - pointer to current sctp association structure.
@sk - pointer to current sock structure.
@newsk - pointer to new sock structure.”h]”hŒ‡@asoc - pointer to current sctp association structure.
@sk - pointer to current sock structure.
@newsk - pointer to new sock structure.”…””}”hj7  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´Mhj¾  h²hubeh}”(h]”Œid4”ah ]”h"]”h$]”jà  ah&]”uh1hÈhjµ  h²hh³hÇh´Mj¡  KubhÉ)”}”(hhh]”(hÎ)”}”(hŒ!security_sctp_assoc_established()”h]”hŒ!security_sctp_assoc_established()”…””}”(hjO  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjL  h²hh³hÇh´Mubj   )”}”(hŒbCalled when a COOKIE ACK is received where it sets the connection's peer sid
to that in ``@skb``::”h]”(hŒZCalled when a COOKIE ACK is received where it sets the connectionâ€™s peer sid
to that in ”…””}”(hj]  h²hh³Nh´Nubj`  )”}”(hŒ``@skb``”h]”hŒ@skb”…””}”(hje  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj]  ubhŒ:”…””}”(hj]  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´MhjL  h²hubj  )”}”(hŒa@asoc - pointer to sctp association structure.
@skb - pointer to skbuff of the COOKIE ACK packet.”h]”hŒa@asoc - pointer to sctp association structure.
@skb - pointer to skbuff of the COOKIE ACK packet.”…””}”hj}  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´MhjL  h²hubeh}”(h]”Œid5”ah ]”h"]”h$]”j'  ah&]”uh1hÈhjµ  h²hh³hÇh´Mj¡  Kubeh}”(h]”Œid1”ah ]”h"]”h$]”j/  ah&]”uh1hÈhj¤  h²hh³hÇh´K¿j¡  KubhÉ)”}”(hhh]”(hÎ)”}”(hŒPolicy Statements”h]”hŒPolicy Statements”…””}”(hjœ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhj™  h²hh³hÇh´Mubj   )”}”(hŒUThe following class and permissions to support SCTP are available within the
kernel::”h]”hŒTThe following class and permissions to support SCTP are available within the
kernel:”…””}”(hjª  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´Mhj™  h²hubj  )”}”(hŒ/class sctp_socket inherits socket { node_bind }”h]”hŒ/class sctp_socket inherits socket { node_bind }”…””}”hj¸  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´Mhj™  h²hubj   )”}”(hŒ5whenever the following policy capability is enabled::”h]”hŒ4whenever the following policy capability is enabled:”…””}”(hjÆ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´M hj™  h²hubj  )”}”(hŒ policycap extended_socket_class;”h]”hŒ policycap extended_socket_class;”…””}”hjÔ  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´M"hj™  h²hubj   )”}”(hŒ«SELinux SCTP support adds the ``name_connect`` permission for connecting
to a specific port type and the ``association`` permission that is explained
in the section below.”h]”(hŒSELinux SCTP support adds the ”…””}”(hjâ  h²hh³Nh´Nubj`  )”}”(hŒ``name_connect``”h]”hŒname_connect”…””}”(hjê  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjâ  ubhŒ; permission for connecting
to a specific port type and the ”…””}”(hjâ  h²hh³Nh´Nubj`  )”}”(hŒ``association``”h]”hŒassociation”…””}”(hjü  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjâ  ubhŒ3 permission that is explained
in the section below.”…””}”(hjâ  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´M$hj™  h²hubj   )”}”(hŒuIf userspace tools have been updated, SCTP will support the ``portcon``
statement as shown in the following example::”h]”(hŒ<If userspace tools have been updated, SCTP will support the ”…””}”(hj  h²hh³Nh´Nubj`  )”}”(hŒ``portcon``”h]”hŒportcon”…””}”(hj  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubhŒ-
statement as shown in the following example:”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´M(hj™  h²hubj  )”}”(hŒ8portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0”h]”hŒ8portcon sctp 1024-1036 system_u:object_r:sctp_ports_t:s0”…””}”hj4  sbah}”(h]”h ]”h"]”h$]”h&]”hÅhÆuh1j  h³hÇh´M+hj™  h²hubeh}”(h]”Œpolicy-statements”ah ]”h"]”Œpolicy statements”ah$]”h&]”uh1hÈhj¤  h²hh³hÇh´MubhÉ)”}”(hhh]”(hÎ)”}”(hŒSCTP Peer Labeling”h]”hŒSCTP Peer Labeling”…””}”(hjM  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÍhjJ  h²hh³hÇh´M/ubj   )”}”(hXÞ  An SCTP socket will only have one peer label assigned to it. This will be
assigned during the establishment of the first association. Any further
associations on this socket will have their packet peer label compared to
the sockets peer label, and only if they are different will the
``association`` permission be validated. This is validated by checking the
socket peer sid against the received packets peer sid to determine whether
the association should be allowed or denied.”h]”(hX  An SCTP socket will only have one peer label assigned to it. This will be
assigned during the establishment of the first association. Any further
associations on this socket will have their packet peer label compared to
the sockets peer label, and only if they are different will the
”…””}”(hj[  h²hh³Nh´Nubj`  )”}”(hŒ``association``”h]”hŒassociation”…””}”(hjc  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj[  ubhŒ³ permission be validated. This is validated by checking the
socket peer sid against the received packets peer sid to determine whether
the association should be allowed or denied.”…””}”(hj[  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´M0hjJ  h²hubjH  )”}”(hhh]”jM  )”}”(hX  NOTES:
1) If peer labeling is not enabled, then the peer context will always be
   ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).

2) As SCTP can support more than one transport address per endpoint
   (multi-homing) on a single socket, it is possible to configure policy
   and NetLabel to provide different peer labels for each of these. As the
   socket peer label is determined by the first associations transport
   address, it is recommended that all peer labels are consistent.

3) **getpeercon**\(3) may be used by userspace to retrieve the sockets peer
   context.

4) While not SCTP specific, be aware when using NetLabel that if a label
   is assigned to a specific interface, and that interface 'goes down',
   then the NetLabel service will remove the entry. Therefore ensure that
   the network startup scripts call **netlabelctl**\(8) to set the required
   label (see **netlabel-config**\(8) helper script for details).

5) The NetLabel SCTP peer labeling rules apply as discussed in the following
   set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.

6) CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
   CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``

   Note the following when testing CIPSO/CALIPSO:
      a) CIPSO will send an ICMP packet if an SCTP packet cannot be
         delivered because of an invalid label.
      b) CALIPSO does not send an ICMP packet, just silently discards it.

7) IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
   implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
   although the kernel supports SCTP/IPSEC.”h]”(jS  )”}”(hŒNOTES:”h]”hŒNOTES:”…””}”(hj‚  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jR  h³hÇh´MWhj~  ubjc  )”}”(hhh]”hŒenumerated_list”“”)”}”(hhh]”(hŒ	list_item”“”)”}”(hŒ†If peer labeling is not enabled, then the peer context will always be
``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).
”h]”j   )”}”(hŒ…If peer labeling is not enabled, then the peer context will always be
``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).”h]”(hŒFIf peer labeling is not enabled, then the peer context will always be
”…””}”(hjž  h²hh³Nh´Nubj`  )”}”(hŒ``SECINITSID_UNLABELED``”h]”hŒSECINITSID_UNLABELED”…””}”(hj¦  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjž  ubhŒ (”…””}”(hjž  h²hh³Nh´Nubj`  )”}”(hŒ``unlabeled_t``”h]”hŒunlabeled_t”…””}”(hj¸  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hjž  ubhŒ in Reference Policy).”…””}”(hjž  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´M9hjš  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hj•  ubj™  )”}”(hXS  As SCTP can support more than one transport address per endpoint
(multi-homing) on a single socket, it is possible to configure policy
and NetLabel to provide different peer labels for each of these. As the
socket peer label is determined by the first associations transport
address, it is recommended that all peer labels are consistent.
”h]”j   )”}”(hXR  As SCTP can support more than one transport address per endpoint
(multi-homing) on a single socket, it is possible to configure policy
and NetLabel to provide different peer labels for each of these. As the
socket peer label is determined by the first associations transport
address, it is recommended that all peer labels are consistent.”h]”hXR  As SCTP can support more than one transport address per endpoint
(multi-homing) on a single socket, it is possible to configure policy
and NetLabel to provide different peer labels for each of these. As the
socket peer label is determined by the first associations transport
address, it is recommended that all peer labels are consistent.”…””}”(hjÚ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´M<hjÖ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hj•  ubj™  )”}”(hŒR**getpeercon**\(3) may be used by userspace to retrieve the sockets peer
context.
”h]”j   )”}”(hŒQ**getpeercon**\(3) may be used by userspace to retrieve the sockets peer
context.”h]”(j  )”}”(hŒ**getpeercon**”h]”hŒ
getpeercon”…””}”(hjö  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hjò  ubhŒC (3) may be used by userspace to retrieve the sockets peer
context.”…””}”(hjò  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´MBhjî  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hj•  ubj™  )”}”(hXZ  While not SCTP specific, be aware when using NetLabel that if a label
is assigned to a specific interface, and that interface 'goes down',
then the NetLabel service will remove the entry. Therefore ensure that
the network startup scripts call **netlabelctl**\(8) to set the required
label (see **netlabel-config**\(8) helper script for details).
”h]”j   )”}”(hXY  While not SCTP specific, be aware when using NetLabel that if a label
is assigned to a specific interface, and that interface 'goes down',
then the NetLabel service will remove the entry. Therefore ensure that
the network startup scripts call **netlabelctl**\(8) to set the required
label (see **netlabel-config**\(8) helper script for details).”h]”(hŒ÷While not SCTP specific, be aware when using NetLabel that if a label
is assigned to a specific interface, and that interface â€˜goes downâ€™,
then the NetLabel service will remove the entry. Therefore ensure that
the network startup scripts call ”…””}”(hj  h²hh³Nh´Nubj  )”}”(hŒ**netlabelctl**”h]”hŒnetlabelctl”…””}”(hj   h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ$ (8) to set the required
label (see ”…””}”(hj  h²hh³Nh´Nubj  )”}”(hŒ**netlabel-config**”h]”hŒnetlabel-config”…””}”(hj2  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj  ubhŒ  (8) helper script for details).”…””}”(hj  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´MEhj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hj•  ubj™  )”}”(hŒThe NetLabel SCTP peer labeling rules apply as discussed in the following
set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.
”h]”j   )”}”(hŒThe NetLabel SCTP peer labeling rules apply as discussed in the following
set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.”h]”(hŒqThe NetLabel SCTP peer labeling rules apply as discussed in the following
set of posts tagged â€œnetlabelâ€ at: ”…””}”(hjT  h²hh³Nh´Nubj(  )”}”(hŒ!https://www.paul-moore.com/blog/t”h]”hŒ!https://www.paul-moore.com/blog/t”…””}”(hj\  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œrefuri”j^  uh1j'  hjT  ubhŒ.”…””}”(hjT  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´MKhjP  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hj•  ubj™  )”}”(hXt  CIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``

Note the following when testing CIPSO/CALIPSO:
   a) CIPSO will send an ICMP packet if an SCTP packet cannot be
      delivered because of an invalid label.
   b) CALIPSO does not send an ICMP packet, just silently discards it.
”h]”(j   )”}”(hŒŽCIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)``
CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``”h]”(hŒ-CIPSO is only supported for IPv4 addressing: ”…””}”(hj  h²hh³Nh´Nubj`  )”}”(hŒ``socket(AF_INET, ...)``”h]”hŒsocket(AF_INET, ...)”…””}”(hj‡  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubhŒ0
CALIPSO is only supported for IPv6 addressing: ”…””}”(hj  h²hh³Nh´Nubj`  )”}”(hŒ``socket(AF_INET6, ...)``”h]”hŒsocket(AF_INET6, ...)”…””}”(hj™  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j_  hj  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´MNhj{  ubjH  )”}”(hhh]”jM  )”}”(hŒÛNote the following when testing CIPSO/CALIPSO:
a) CIPSO will send an ICMP packet if an SCTP packet cannot be
   delivered because of an invalid label.
b) CALIPSO does not send an ICMP packet, just silently discards it.
”h]”(jS  )”}”(hŒ.Note the following when testing CIPSO/CALIPSO:”h]”hŒ.Note the following when testing CIPSO/CALIPSO:”…””}”(hj´  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1jR  h³hÇh´MThj°  ubjc  )”}”(hhh]”j”  )”}”(hhh]”(j™  )”}”(hŒaCIPSO will send an ICMP packet if an SCTP packet cannot be
delivered because of an invalid label.”h]”j   )”}”(hŒaCIPSO will send an ICMP packet if an SCTP packet cannot be
delivered because of an invalid label.”h]”hŒaCIPSO will send an ICMP packet if an SCTP packet cannot be
delivered because of an invalid label.”…””}”(hjÌ  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´MRhjÈ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hjÅ  ubj™  )”}”(hŒACALIPSO does not send an ICMP packet, just silently discards it.
”h]”j   )”}”(hŒ@CALIPSO does not send an ICMP packet, just silently discards it.”h]”hŒ@CALIPSO does not send an ICMP packet, just silently discards it.”…””}”(hjä  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´MThjà  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hjÅ  ubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œ
loweralpha”Œprefix”hŒsuffix”Œ)”uh1j“  hjÂ  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jb  hj°  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jL  h³hÇh´MThj­  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jG  hj{  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hj•  ubj™  )”}”(hŒ¯IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
although the kernel supports SCTP/IPSEC.”h]”j   )”}”(hŒ¯IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)),
although the kernel supports SCTP/IPSEC.”h]”(hŒ_IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been
implemented in userspace (”…””}”(hj	  h²hh³Nh´Nubj  )”}”(hŒ
**racoon**”h]”hŒracoon”…””}”(hj'	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj	  ubhŒ (8) or ”…””}”(hj	  h²hh³Nh´Nubj  )”}”(hŒ**ipsec_pluto**”h]”hŒipsec_pluto”…””}”(hj9	  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j  hj	  ubhŒ/ (8)),
although the kernel supports SCTP/IPSEC.”…””}”(hj	  h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hÿh³hÇh´MVhj	  ubah}”(h]”h ]”h"]”h$]”h&]”uh1j˜  hj•  ubeh}”(h]”h ]”h"]”h$]”h&]”jþ  Œarabic”j 	  hj	  j	  uh1j“  hj  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jb  hj~  ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jL  h³hÇh´MWhj{  ubah}”(h]”h ]”h"]”h$]”h&]”uh1jG  hjJ  h²hh³Nh´Nubeh}”(h]”Œsctp-peer-labeling”ah ]”h"]”Œsctp peer labeling”ah$]”h&]”uh1hÈhj¤  h²hh³hÇh´M/ubeh}”(h]”j:  ah ]”h"]”Œsctp selinux support”ah$]”h&]”uh1hÈhhÊh²hh³hÇh´K¼j¡  Kubeh}”(h]”Œsctp”ah ]”h"]”Œsctp”ah$]”h&]”uh1hÈhhh²hh³hÇh´Kubeh}”(h]”h ]”h"]”h$]”h&]”Œsource”hÇuh1hŒcurrent_source”NŒcurrent_line”NŒsettings”Œdocutils.frontend”ŒValues”“”)”}”(hÍNŒ	generator”NŒ	datestamp”NŒsource_link”NŒ
source_url”NŒtoc_backlinks”Œentry”Œfootnote_backlinks”KŒsectnum_xform”KŒstrip_comments”NŒstrip_elements_with_classes”NŒstrip_classes”NŒreport_level”KŒ
halt_level”KŒexit_status_level”KŒdebug”NŒwarning_stream”NŒ	traceback”ˆŒinput_encoding”Œ	utf-8-sig”Œinput_encoding_error_handler”Œstrict”Œoutput_encoding”Œutf-8”Œoutput_encoding_error_handler”jª	  Œerror_encoding”Œutf-8”Œerror_encoding_error_handler”Œbackslashreplace”Œlanguage_code”Œen”Œrecord_dependencies”NŒconfig”NŒ	id_prefix”hŒauto_id_prefix”Œid”Œdump_settings”NŒdump_internals”NŒdump_transforms”NŒdump_pseudo_xml”NŒexpose_internals”NŒstrict_visitor”NŒ_disable_config”NŒ_source”hÇŒ_destination”NŒ_config_files”]”Œ7/var/lib/git/docbuild/linux/Documentation/docutils.conf”aŒfile_insertion_enabled”ˆŒraw_enabled”KŒline_length_limit”M'Œpep_references”NŒpep_base_url”Œhttps://peps.python.org/”Œpep_file_url_template”Œpep-%04d”Œrfc_references”NŒrfc_base_url”Œ&https://datatracker.ietf.org/doc/html/”Œ	tab_width”KŒtrim_footnote_reference_space”‰Œsyntax_highlight”Œlong”Œsmart_quotes”ˆŒsmartquotes_locales”]”Œcharacter_level_inline_markup”‰Œdoctitle_xform”‰Œdocinfo_xform”KŒsectsubtitle_xform”‰Œimage_loading”Œlink”Œembed_stylesheet”‰Œcloak_email_addresses”ˆŒsection_self_link”‰Œenv”NubŒreporter”NŒindirect_targets”]”Œsubstitution_defs”}”Œsubstitution_names”}”Œrefnames”}”(Œsctp selinux support”]”j)  aŒsctp lsm support”]”(jÎ  j‹  euŒrefids”}”Œnameids”}”(j„	  j	  j¡  jž  Œsecurity hooks”NŒsecurity_sctp_assoc_request()”NŒsecurity_sctp_bind_connect()”NŒsecurity_sctp_sk_clone()”NŒ!security_sctp_assoc_established()”Nj™  j–  j|	  j:  jG  jD  ju	  jr	  uŒ	nametypes”}”(j„	  ‰j¡  ‰jò	  ‰jó	  ‰jô	  ‰jõ	  ‰jö	  ‰j™  ‰j|	  ‰jG  ‰ju	  ‰uh}”(j	  hÊjž  hÝj+  hîj›  jF  jƒ  j¢  jÜ  j‰  j#  jâ  j–  j1  j:  j¤  j”  jµ  jC  jö  j¹  jH  jG  j¾  j  jL  jD  j™  jr	  jJ  uŒfootnote_refs”}”Œcitation_refs”}”Œautofootnotes”]”Œautofootnote_refs”]”Œsymbol_footnotes”]”Œsymbol_footnote_refs”]”Œ	footnotes”]”Œ	citations”]”Œautofootnote_start”KŒsymbol_footnote_start”K Œ
id_counter”Œcollections”ŒCounter”“”}”j¸	  Ks…”R”Œparse_messages”]”(hŒsystem_message”“”)”}”(hhh]”j   )”}”(hŒ1Duplicate implicit target name: "security hooks".”h]”hŒ5Duplicate implicit target name: â€œsecurity hooksâ€.”…””}”(hj
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿhj
  ubah}”(h]”h ]”h"]”h$]”h&]”j”  aŒlevel”KŒtype”ŒINFO”Œsource”hÇŒline”K¿uh1j
  hjµ  h²hh³hÇh´K¿ubj
  )”}”(hhh]”j   )”}”(hŒ@Duplicate implicit target name: "security_sctp_assoc_request()".”h]”hŒDDuplicate implicit target name: â€œsecurity_sctp_assoc_request()â€.”…””}”(hj6
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿhj3
  ubah}”(h]”h ]”h"]”h$]”h&]”jC  aŒlevel”KŒtype”j0
  Œsource”hÇŒline”KËuh1j
  hjö  h²hh³hÇh´KËubj
  )”}”(hhh]”j   )”}”(hŒ?Duplicate implicit target name: "security_sctp_bind_connect()".”h]”hŒCDuplicate implicit target name: â€œsecurity_sctp_bind_connect()â€.”…””}”(hjQ
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿhjN
  ubah}”(h]”h ]”h"]”h$]”h&]”j¹  aŒlevel”KŒtype”j0
  Œsource”hÇŒline”Kåuh1j
  hjH  h²hh³hÇh´Kåubj
  )”}”(hhh]”j   )”}”(hŒ;Duplicate implicit target name: "security_sctp_sk_clone()".”h]”hŒ?Duplicate implicit target name: â€œsecurity_sctp_sk_clone()â€.”…””}”(hjl
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿhji
  ubah}”(h]”h ]”h"]”h$]”h&]”jG  aŒlevel”KŒtype”j0
  Œsource”hÇŒline”Muh1j
  hj¾  h²hh³hÇh´Mubj
  )”}”(hhh]”j   )”}”(hŒDDuplicate implicit target name: "security_sctp_assoc_established()".”h]”hŒHDuplicate implicit target name: â€œsecurity_sctp_assoc_established()â€.”…””}”(hj‡
  h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hÿhj„
  ubah}”(h]”h ]”h"]”h$]”h&]”j  aŒlevel”KŒtype”j0
  Œsource”hÇŒline”Muh1j
  hjL  h²hh³hÇh´MubeŒtransform_messages”]”Œtransformer”NŒinclude_log”]”Œ
decoration”Nh²hub.