sphinx.addnodesdocument)}( rawsourcechildren]( translations LanguagesNode)}(hhh](h pending_xref)}(hhh]docutils.nodesTextChinese (Simplified)}parenthsba attributes}(ids]classes]names]dupnames]backrefs] refdomainstdreftypedoc reftarget!/translations/zh_CN/security/SCTPmodnameN classnameN refexplicitutagnamehhh ubh)}(hhh]hChinese (Traditional)}hh2sbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget!/translations/zh_TW/security/SCTPmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hItalian}hhFsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget!/translations/it_IT/security/SCTPmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hJapanese}hhZsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget!/translations/ja_JP/security/SCTPmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hKorean}hhnsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget!/translations/ko_KR/security/SCTPmodnameN classnameN refexplicituh1hhh ubh)}(hhh]hSpanish}hhsbah}(h]h ]h"]h$]h&] refdomainh)reftypeh+ reftarget!/translations/sp_SP/security/SCTPmodnameN classnameN refexplicituh1hhh ubeh}(h]h ]h"]h$]h&]current_languageEnglishuh1h hh _documenthsourceNlineNubhcomment)}(h SPDX-License-Identifier: GPL-2.0h]h SPDX-License-Identifier: GPL-2.0}hhsbah}(h]h ]h"]h$]h&] xml:spacepreserveuh1hhhhhh;/var/lib/git/docbuild/linux/Documentation/security/SCTP.rsthKubhsection)}(hhh](htitle)}(hSCTPh]hSCTP}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(hSCTP LSM Supporth]hSCTP LSM Support}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhKubh)}(hhh](h)}(hSecurity Hooksh]hSecurity Hooks}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhhhhhK ubh paragraph)}(hNFor security module support, three SCTP specific hooks have been implemented::h]hMFor security module support, three SCTP specific hooks have been implemented:}(hhhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhK hhhhubh literal_block)}(husecurity_sctp_assoc_request() security_sctp_bind_connect() security_sctp_sk_clone() security_sctp_assoc_established()h]husecurity_sctp_assoc_request() security_sctp_bind_connect() security_sctp_sk_clone() security_sctp_assoc_established()}hhsbah}(h]h ]h"]h$]h&]hhuh1hhhhKhhhhubh)}(h~The usage of these hooks are described below with the SELinux implementation described in the `SCTP SELinux Support`_ chapter.h](h^The usage of these hooks are described below with the SELinux implementation described in the }(hj hhhNhNubh reference)}(h`SCTP SELinux Support`_h]hSCTP SELinux Support}(hjhhhNhNubah}(h]h ]h"]h$]h&]nameSCTP SELinux Supportrefidsctp-selinux-supportuh1jhj resolvedKubh chapter.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhhhhubh)}(hhh](h)}(hsecurity_sctp_assoc_request()h]hsecurity_sctp_assoc_request()}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj2hhhhhKubh)}(hPasses the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the security module. Returns 0 on success, error on failure. ::h](h Passes the }(hjChhhNhNubhliteral)}(h ``@asoc``h]h@asoc}(hjMhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjCubh and }(hjChhhNhNubjL)}(h``@chunk->skb``h]h @chunk->skb}(hj_hhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjCubh_ of the association INIT packet to the security module. Returns 0 on success, error on failure.}(hjChhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhj2hhubh)}(h^@asoc - pointer to sctp association structure. @skb - pointer to skbuff of association packet.h]h^@asoc - pointer to sctp association structure. @skb - pointer to skbuff of association packet.}hjwsbah}(h]h ]h"]h$]h&]hhuh1hhhhKhj2hhubeh}(h]security-sctp-assoc-requestah ]h"]h$]security_sctp_assoc_request()ah&]uh1hhhhhhhhK referencedKubh)}(hhh](h)}(hsecurity_sctp_bind_connect()h]hsecurity_sctp_bind_connect()}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhK#ubh)}(hPasses one or more ipv4/ipv6 addresses to the security module for validation based on the ``@optname`` that will result in either a bind or connect service as shown in the permission check tables below. Returns 0 on success, error on failure. ::h](hZPasses one or more ipv4/ipv6 addresses to the security module for validation based on the }(hjhhhNhNubjL)}(h ``@optname``h]h@optname}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh that will result in either a bind or connect service as shown in the permission check tables below. Returns 0 on success, error on failure.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK$hjhhubh)}(hX @sk - Pointer to sock structure. @optname - Name of the option to validate. @address - One or more ipv4 / ipv6 addresses. @addrlen - The total length of address(s). This is calculated on each ipv4 or ipv6 address using sizeof(struct sockaddr_in) or sizeof(struct sockaddr_in6). ------------------------------------------------------------------ | BIND Type Checks | | @optname | @address contains | |----------------------------|-----------------------------------| | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | ------------------------------------------------------------------ ------------------------------------------------------------------ | CONNECT Type Checks | | @optname | @address contains | |----------------------------|-----------------------------------| | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | ------------------------------------------------------------------h]hX @sk - Pointer to sock structure. @optname - Name of the option to validate. @address - One or more ipv4 / ipv6 addresses. @addrlen - The total length of address(s). This is calculated on each ipv4 or ipv6 address using sizeof(struct sockaddr_in) or sizeof(struct sockaddr_in6). ------------------------------------------------------------------ | BIND Type Checks | | @optname | @address contains | |----------------------------|-----------------------------------| | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | ------------------------------------------------------------------ ------------------------------------------------------------------ | CONNECT Type Checks | | @optname | @address contains | |----------------------------|-----------------------------------| | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | ------------------------------------------------------------------}hjsbah}(h]h ]h"]h$]h&]hhuh1hhhhK*hjhhubh)}(h5A summary of the ``@optname`` entries is as follows::h](hA summary of the }(hjhhhNhNubjL)}(h ``@optname``h]h@optname}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh entries is as follows:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKDhjhhubh)}(hX SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be associated after (optionally) calling bind(3). sctp_bindx(3) adds a set of bind addresses on a socket. SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple addresses for reaching a peer (multi-homed). sctp_connectx(3) initiates a connection on an SCTP socket using multiple destination addresses. SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a sendmsg(2) or sctp_sendmsg(3) on a new association. SCTP_PRIMARY_ADDR - Set local primary address. SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as association primary. SCTP_PARAM_ADD_IP - These are used when Dynamic Address SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.h]hX SCTP_SOCKOPT_BINDX_ADD - Allows additional bind addresses to be associated after (optionally) calling bind(3). sctp_bindx(3) adds a set of bind addresses on a socket. SCTP_SOCKOPT_CONNECTX - Allows the allocation of multiple addresses for reaching a peer (multi-homed). sctp_connectx(3) initiates a connection on an SCTP socket using multiple destination addresses. SCTP_SENDMSG_CONNECT - Initiate a connection that is generated by a sendmsg(2) or sctp_sendmsg(3) on a new association. SCTP_PRIMARY_ADDR - Set local primary address. SCTP_SET_PEER_PRIMARY_ADDR - Request peer sets address as association primary. SCTP_PARAM_ADD_IP - These are used when Dynamic Address SCTP_PARAM_SET_PRIMARY - Reconfiguration is enabled as explained below.}hjsbah}(h]h ]h"]h$]h&]hhuh1hhhhKFhjhhubh)}(hTo support Dynamic Address Reconfiguration the following parameters must be enabled on both endpoints (or use the appropriate **setsockopt**\(2))::h](h~To support Dynamic Address Reconfiguration the following parameters must be enabled on both endpoints (or use the appropriate }(hjhhhNhNubhstrong)}(h**setsockopt**h]h setsockopt}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh(2)):}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK_hjhhubh)}(hF/proc/sys/net/sctp/addip_enable /proc/sys/net/sctp/addip_noauth_enableh]hF/proc/sys/net/sctp/addip_enable /proc/sys/net/sctp/addip_noauth_enable}hjsbah}(h]h ]h"]h$]h&]hhuh1hhhhKbhjhhubh)}(hzthen the following *_PARAM_*'s are sent to the peer in an ASCONF chunk when the corresponding ``@optname``'s are present::h](hthen the following }(hj+hhhNhNubhemphasis)}(h *_PARAM_*h]h_PARAM_}(hj5hhhNhNubah}(h]h ]h"]h$]h&]uh1j3hj+ubhD’s are sent to the peer in an ASCONF chunk when the corresponding }(hj+hhhNhNubjL)}(h ``@optname``h]h@optname}(hjGhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhj+ubh’s are present:}(hj+hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKehjhhubh)}(h @optname ASCONF Parameter ---------- ------------------ SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARYh]h @optname ASCONF Parameter ---------- ------------------ SCTP_SOCKOPT_BINDX_ADD -> SCTP_PARAM_ADD_IP SCTP_SET_PEER_PRIMARY_ADDR -> SCTP_PARAM_SET_PRIMARY}hj_sbah}(h]h ]h"]h$]h&]hhuh1hhhhKhhjhhubeh}(h]security-sctp-bind-connectah ]h"]h$]security_sctp_bind_connect()ah&]uh1hhhhhhhhK#jKubh)}(hhh](h)}(hsecurity_sctp_sk_clone()h]hsecurity_sctp_sk_clone()}(hjxhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjuhhhhhKoubh)}(hCalled whenever a new socket is created by **accept**\(2) (i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace calls **sctp_peeloff**\(3). ::h](h+Called whenever a new socket is created by }(hjhhhNhNubj)}(h **accept**h]haccept}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhX(2) (i.e. a TCP style socket) or when a socket is ‘peeled off’ e.g userspace calls }(hjhhhNhNubj)}(h**sctp_peeloff**h]h sctp_peeloff}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh(3).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKphjuhhubh)}(h@asoc - pointer to current sctp association structure. @sk - pointer to current sock structure. @newsk - pointer to new sock structure.h]h@asoc - pointer to current sctp association structure. @sk - pointer to current sock structure. @newsk - pointer to new sock structure.}hjsbah}(h]h ]h"]h$]h&]hhuh1hhhhKuhjuhhubeh}(h]security-sctp-sk-cloneah ]h"]h$]security_sctp_sk_clone()ah&]uh1hhhhhhhhKojKubh)}(hhh](h)}(h!security_sctp_assoc_established()h]h!security_sctp_assoc_established()}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhK{ubh)}(hnCalled when a COOKIE ACK is received, and the peer secid will be saved into ``@asoc->peer_secid`` for client::h](hLCalled when a COOKIE ACK is received, and the peer secid will be saved into }(hjhhhNhNubjL)}(h``@asoc->peer_secid``h]h@asoc->peer_secid}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh for client:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhK|hjhhubh)}(ha@asoc - pointer to sctp association structure. @skb - pointer to skbuff of the COOKIE ACK packet.h]ha@asoc - pointer to sctp association structure. @skb - pointer to skbuff of the COOKIE ACK packet.}hjsbah}(h]h ]h"]h$]h&]hhuh1hhhhKhjhhubeh}(h]security-sctp-assoc-establishedah ]h"]h$]!security_sctp_assoc_established()ah&]uh1hhhhhhhhK{jKubeh}(h]security-hooksah ]h"]h$]security hooksah&]uh1hhhhhhhhK jKubh)}(hhh](h)}(h1Security Hooks used for Association Establishmenth]h1Security Hooks used for Association Establishment}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hThe following diagram shows the use of ``security_sctp_bind_connect()``, ``security_sctp_assoc_request()``, ``security_sctp_assoc_established()`` when establishing an association. ::h](h'The following diagram shows the use of }(hj.hhhNhNubjL)}(h ``security_sctp_bind_connect()``h]hsecurity_sctp_bind_connect()}(hj6hhhNhNubah}(h]h ]h"]h$]h&]uh1jKhj.ubh, }(hj.hhhNhNubjL)}(h!``security_sctp_assoc_request()``h]hsecurity_sctp_assoc_request()}(hjHhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhj.ubh, }(hj.hhhNhNubjL)}(h%``security_sctp_assoc_established()``h]h!security_sctp_assoc_established()}(hjZhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhj.ubh" when establishing an association.}(hj.hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(hX SCTP endpoint "A" SCTP endpoint "Z" ================= ================= sctp_sf_do_prm_asoc() Association setup can be initiated by a connect(2), sctp_connectx(3), sendmsg(2) or sctp_sendmsg(3). These will result in a call to security_sctp_bind_connect() to initiate an association to SCTP peer endpoint "Z". INIT ---------------------------------------------> sctp_sf_do_5_1B_init() Respond to an INIT chunk. SCTP peer endpoint "A" is asking for a temporary association. Call security_sctp_assoc_request() to set the peer label if first association. If not first association, check whether allowed, IF so send: <----------------------------------------------- INIT ACK | ELSE audit event and silently | discard the packet. | COOKIE ECHO ------------------------------------------> sctp_sf_do_5_1D_ce() Respond to an COOKIE ECHO chunk. Confirm the cookie and create a permanent association. Call security_sctp_assoc_request() to do the same as for INIT chunk Response. <------------------------------------------- COOKIE ACK | | sctp_sf_do_5_1E_ca | Call security_sctp_assoc_established() | to set the peer label. | | | | If SCTP_SOCKET_TCP or peeled off | socket security_sctp_sk_clone() is | called to clone the new socket. | | ESTABLISHED ESTABLISHED | | ------------------------------------------------------------------ | Association Established | ------------------------------------------------------------------h]hX SCTP endpoint "A" SCTP endpoint "Z" ================= ================= sctp_sf_do_prm_asoc() Association setup can be initiated by a connect(2), sctp_connectx(3), sendmsg(2) or sctp_sendmsg(3). These will result in a call to security_sctp_bind_connect() to initiate an association to SCTP peer endpoint "Z". INIT ---------------------------------------------> sctp_sf_do_5_1B_init() Respond to an INIT chunk. SCTP peer endpoint "A" is asking for a temporary association. Call security_sctp_assoc_request() to set the peer label if first association. If not first association, check whether allowed, IF so send: <----------------------------------------------- INIT ACK | ELSE audit event and silently | discard the packet. | COOKIE ECHO ------------------------------------------> sctp_sf_do_5_1D_ce() Respond to an COOKIE ECHO chunk. Confirm the cookie and create a permanent association. Call security_sctp_assoc_request() to do the same as for INIT chunk Response. <------------------------------------------- COOKIE ACK | | sctp_sf_do_5_1E_ca | Call security_sctp_assoc_established() | to set the peer label. | | | | If SCTP_SOCKET_TCP or peeled off | socket security_sctp_sk_clone() is | called to clone the new socket. | | ESTABLISHED ESTABLISHED | | ------------------------------------------------------------------ | Association Established | ------------------------------------------------------------------}hjrsbah}(h]h ]h"]h$]h&]hhuh1hhhhKhjhhubeh}(h]1security-hooks-used-for-association-establishmentah ]h"]1security hooks used for association establishmentah$]h&]uh1hhhhhhhhKubeh}(h]sctp-lsm-supportah ]h"]sctp lsm supportah$]h&]uh1hhhhhhhhKjKubh)}(hhh](h)}(hSCTP SELinux Supporth]hSCTP SELinux Support}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hhh](h)}(hSecurity Hooksh]hSecurity Hooks}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(h}The `SCTP LSM Support`_ chapter above describes the following SCTP security hooks with the SELinux specifics expanded below::h](hThe }(hjhhhNhNubj)}(h`SCTP LSM Support`_h]hSCTP LSM Support}(hjhhhNhNubah}(h]h ]h"]h$]h&]nameSCTP LSM Supportj%juh1jhjj'Kubhe chapter above describes the following SCTP security hooks with the SELinux specifics expanded below:}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(husecurity_sctp_assoc_request() security_sctp_bind_connect() security_sctp_sk_clone() security_sctp_assoc_established()h]husecurity_sctp_assoc_request() security_sctp_bind_connect() security_sctp_sk_clone() security_sctp_assoc_established()}hjsbah}(h]h ]h"]h$]h&]hhuh1hhhhKhjhhubh)}(hhh](h)}(hsecurity_sctp_assoc_request()h]hsecurity_sctp_assoc_request()}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhKubh)}(hPasses the ``@asoc`` and ``@chunk->skb`` of the association INIT packet to the security module. Returns 0 on success, error on failure. ::h](h Passes the }(hjhhhNhNubjL)}(h ``@asoc``h]h@asoc}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh and }(hjhhhNhNubjL)}(h``@chunk->skb``h]h @chunk->skb}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh_ of the association INIT packet to the security module. Returns 0 on success, error on failure.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjhhubh)}(h^@asoc - pointer to sctp association structure. @skb - pointer to skbuff of association packet.h]h^@asoc - pointer to sctp association structure. @skb - pointer to skbuff of association packet.}hj%sbah}(h]h ]h"]h$]h&]hhuh1hhhhKhjhhubhdefinition_list)}(hhh]hdefinition_list_item)}(hXThe security module performs the following operations: IF this is the first association on ``@asoc->base.sk``, then set the peer sid to that in ``@skb``. This will ensure there is only one peer sid assigned to ``@asoc->base.sk`` that may support multiple associations. ELSE validate the ``@asoc->base.sk peer_sid`` against the ``@skb peer sid`` to determine whether the association should be allowed or denied. Set the sctp ``@asoc sid`` to socket's sid (from ``asoc->base.sk``) with MLS portion taken from ``@skb peer sid``. This will be used by SCTP TCP style sockets and peeled off connections as they cause a new socket to be generated. If IP security options are configured (CIPSO/CALIPSO), then the ip options are set on the socket. h](hterm)}(h6The security module performs the following operations:h]h6The security module performs the following operations:}(hj@hhhNhNubah}(h]h ]h"]h$]h&]uh1j>hhhKhj:ubh definition)}(hhh](h)}(hIF this is the first association on ``@asoc->base.sk``, then set the peer sid to that in ``@skb``. This will ensure there is only one peer sid assigned to ``@asoc->base.sk`` that may support multiple associations.h](h$IF this is the first association on }(hjShhhNhNubjL)}(h``@asoc->base.sk``h]h@asoc->base.sk}(hj[hhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjSubh#, then set the peer sid to that in }(hjShhhNhNubjL)}(h``@skb``h]h@skb}(hjmhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjSubh:. This will ensure there is only one peer sid assigned to }(hjShhhNhNubjL)}(h``@asoc->base.sk``h]h@asoc->base.sk}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjSubh( that may support multiple associations.}(hjShhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjPubh)}(hELSE validate the ``@asoc->base.sk peer_sid`` against the ``@skb peer sid`` to determine whether the association should be allowed or denied.h](hELSE validate the }(hjhhhNhNubjL)}(h``@asoc->base.sk peer_sid``h]h@asoc->base.sk peer_sid}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh against the }(hjhhhNhNubjL)}(h``@skb peer sid``h]h @skb peer sid}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubhB to determine whether the association should be allowed or denied.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjPubh)}(hSet the sctp ``@asoc sid`` to socket's sid (from ``asoc->base.sk``) with MLS portion taken from ``@skb peer sid``. This will be used by SCTP TCP style sockets and peeled off connections as they cause a new socket to be generated.h](h Set the sctp }(hjhhhNhNubjL)}(h ``@asoc sid``h]h @asoc sid}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh to socket’s sid (from }(hjhhhNhNubjL)}(h``asoc->base.sk``h]h asoc->base.sk}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh) with MLS portion taken from }(hjhhhNhNubjL)}(h``@skb peer sid``h]h @skb peer sid}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubht. This will be used by SCTP TCP style sockets and peeled off connections as they cause a new socket to be generated.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhjPubh)}(haIf IP security options are configured (CIPSO/CALIPSO), then the ip options are set on the socket.h]haIf IP security options are configured (CIPSO/CALIPSO), then the ip options are set on the socket.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhKhjPubeh}(h]h ]h"]h$]h&]uh1jNhj:ubeh}(h]h ]h"]h$]h&]uh1j8hhhKhj5ubah}(h]h ]h"]h$]h&]uh1j3hjhhhhhNubeh}(h]id2ah ]h"]h$]jah&]uh1hhjhhhhhKjKubh)}(hhh](h)}(hsecurity_sctp_bind_connect()h]hsecurity_sctp_bind_connect()}(hj7hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj4hhhhhKubh)}(hZChecks permissions required for ipv4/ipv6 addresses based on the ``@optname`` as follows::h](hAChecks permissions required for ipv4/ipv6 addresses based on the }(hjEhhhNhNubjL)}(h ``@optname``h]h@optname}(hjMhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjEubh as follows:}(hjEhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhj4hhubh)}(hXs------------------------------------------------------------------ | BIND Permission Checks | | @optname | @address contains | |----------------------------|-----------------------------------| | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | ------------------------------------------------------------------ ------------------------------------------------------------------ | CONNECT Permission Checks | | @optname | @address contains | |----------------------------|-----------------------------------| | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | ------------------------------------------------------------------h]hXs------------------------------------------------------------------ | BIND Permission Checks | | @optname | @address contains | |----------------------------|-----------------------------------| | SCTP_SOCKOPT_BINDX_ADD | One or more ipv4 / ipv6 addresses | | SCTP_PRIMARY_ADDR | Single ipv4 or ipv6 address | | SCTP_SET_PEER_PRIMARY_ADDR | Single ipv4 or ipv6 address | ------------------------------------------------------------------ ------------------------------------------------------------------ | CONNECT Permission Checks | | @optname | @address contains | |----------------------------|-----------------------------------| | SCTP_SOCKOPT_CONNECTX | One or more ipv4 / ipv6 addresses | | SCTP_PARAM_ADD_IP | One or more ipv4 / ipv6 addresses | | SCTP_SENDMSG_CONNECT | Single ipv4 or ipv6 address | | SCTP_PARAM_SET_PRIMARY | Single ipv4 or ipv6 address | ------------------------------------------------------------------}hjesbah}(h]h ]h"]h$]h&]hhuh1hhhhKhj4hhubh)}(h`SCTP LSM Support`_ gives a summary of the ``@optname`` entries and also describes ASCONF chunk processing when Dynamic Address Reconfiguration is enabled.h](j)}(h`SCTP LSM Support`_h]hSCTP LSM Support}(hjwhhhNhNubah}(h]h ]h"]h$]h&]nameSCTP LSM Supportj%juh1jhjsj'Kubh gives a summary of the }(hjshhhNhNubjL)}(h ``@optname``h]h@optname}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjsubhd entries and also describes ASCONF chunk processing when Dynamic Address Reconfiguration is enabled.}(hjshhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhKhj4hhubeh}(h]id3ah ]h"]h$]jsah&]uh1hhjhhhhhKjKubh)}(hhh](h)}(hsecurity_sctp_sk_clone()h]hsecurity_sctp_sk_clone()}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubh)}(hX4Called whenever a new socket is created by **accept**\(2) (i.e. a TCP style socket) or when a socket is 'peeled off' e.g userspace calls **sctp_peeloff**\(3). ``security_sctp_sk_clone()`` will set the new sockets sid and peer sid to that contained in the ``@asoc sid`` and ``@asoc peer sid`` respectively. ::h](h+Called whenever a new socket is created by }(hjhhhNhNubj)}(h **accept**h]haccept}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhX(2) (i.e. a TCP style socket) or when a socket is ‘peeled off’ e.g userspace calls }(hjhhhNhNubj)}(h**sctp_peeloff**h]h sctp_peeloff}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh(3). }(hjhhhNhNubjL)}(h``security_sctp_sk_clone()``h]hsecurity_sctp_sk_clone()}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubhD will set the new sockets sid and peer sid to that contained in the }(hjhhhNhNubjL)}(h ``@asoc sid``h]h @asoc sid}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh and }(hjhhhNhNubjL)}(h``@asoc peer sid``h]h@asoc peer sid}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh respectively.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhjhhubh)}(h@asoc - pointer to current sctp association structure. @sk - pointer to current sock structure. @newsk - pointer to new sock structure.h]h@asoc - pointer to current sctp association structure. @sk - pointer to current sock structure. @newsk - pointer to new sock structure.}hj#sbah}(h]h ]h"]h$]h&]hhuh1hhhhM hjhhubeh}(h]id4ah ]h"]h$]jah&]uh1hhjhhhhhMjKubh)}(hhh](h)}(h!security_sctp_assoc_established()h]h!security_sctp_assoc_established()}(hj;hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj8hhhhhMubh)}(hbCalled when a COOKIE ACK is received where it sets the connection's peer sid to that in ``@skb``::h](hZCalled when a COOKIE ACK is received where it sets the connection’s peer sid to that in }(hjIhhhNhNubjL)}(h``@skb``h]h@skb}(hjQhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjIubh:}(hjIhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMhj8hhubh)}(ha@asoc - pointer to sctp association structure. @skb - pointer to skbuff of the COOKIE ACK packet.h]ha@asoc - pointer to sctp association structure. @skb - pointer to skbuff of the COOKIE ACK packet.}hjisbah}(h]h ]h"]h$]h&]hhuh1hhhhMhj8hhubeh}(h]id5ah ]h"]h$]jah&]uh1hhjhhhhhMjKubeh}(h]id1ah ]h"]h$]jah&]uh1hhjhhhhhKjKubh)}(hhh](h)}(hPolicy Statementsh]hPolicy Statements}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhjhhhhhMubh)}(hUThe following class and permissions to support SCTP are available within the kernel::h]hTThe following class and permissions to support SCTP are available within the kernel:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMhjhhubh)}(h/class sctp_socket inherits socket { node_bind }h]h/class sctp_socket inherits socket { node_bind }}hjsbah}(h]h ]h"]h$]h&]hhuh1hhhhMhjhhubh)}(h5whenever the following policy capability is enabled::h]h4whenever the following policy capability is enabled:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM hjhhubh)}(h policycap extended_socket_class;h]h policycap extended_socket_class;}hjsbah}(h]h ]h"]h$]h&]hhuh1hhhhM"hjhhubh)}(hSELinux SCTP support adds the ``name_connect`` permission for connecting to a specific port type and the ``association`` permission that is explained in the section below.h](hSELinux SCTP support adds the }(hjhhhNhNubjL)}(h``name_connect``h]h name_connect}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh; permission for connecting to a specific port type and the }(hjhhhNhNubjL)}(h``association``h]h association}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh3 permission that is explained in the section below.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhM$hjhhubh)}(huIf userspace tools have been updated, SCTP will support the ``portcon`` statement as shown in the following example::h](hhhhMWhjjubjO)}(hhh]henumerated_list)}(hhh](h list_item)}(hIf peer labeling is not enabled, then the peer context will always be ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy). h]h)}(hIf peer labeling is not enabled, then the peer context will always be ``SECINITSID_UNLABELED`` (``unlabeled_t`` in Reference Policy).h](hFIf peer labeling is not enabled, then the peer context will always be }(hjhhhNhNubjL)}(h``SECINITSID_UNLABELED``h]hSECINITSID_UNLABELED}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh (}(hjhhhNhNubjL)}(h``unlabeled_t``h]h unlabeled_t}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjubh in Reference Policy).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhM9hjubah}(h]h ]h"]h$]h&]uh1jhjubj)}(hXSAs SCTP can support more than one transport address per endpoint (multi-homing) on a single socket, it is possible to configure policy and NetLabel to provide different peer labels for each of these. As the socket peer label is determined by the first associations transport address, it is recommended that all peer labels are consistent. h]h)}(hXRAs SCTP can support more than one transport address per endpoint (multi-homing) on a single socket, it is possible to configure policy and NetLabel to provide different peer labels for each of these. As the socket peer label is determined by the first associations transport address, it is recommended that all peer labels are consistent.h]hXRAs SCTP can support more than one transport address per endpoint (multi-homing) on a single socket, it is possible to configure policy and NetLabel to provide different peer labels for each of these. As the socket peer label is determined by the first associations transport address, it is recommended that all peer labels are consistent.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhM<hjubah}(h]h ]h"]h$]h&]uh1jhjubj)}(hR**getpeercon**\(3) may be used by userspace to retrieve the sockets peer context. h]h)}(hQ**getpeercon**\(3) may be used by userspace to retrieve the sockets peer context.h](j)}(h**getpeercon**h]h getpeercon}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubhC(3) may be used by userspace to retrieve the sockets peer context.}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMBhjubah}(h]h ]h"]h$]h&]uh1jhjubj)}(hXZWhile not SCTP specific, be aware when using NetLabel that if a label is assigned to a specific interface, and that interface 'goes down', then the NetLabel service will remove the entry. Therefore ensure that the network startup scripts call **netlabelctl**\(8) to set the required label (see **netlabel-config**\(8) helper script for details). h]h)}(hXYWhile not SCTP specific, be aware when using NetLabel that if a label is assigned to a specific interface, and that interface 'goes down', then the NetLabel service will remove the entry. Therefore ensure that the network startup scripts call **netlabelctl**\(8) to set the required label (see **netlabel-config**\(8) helper script for details).h](hWhile not SCTP specific, be aware when using NetLabel that if a label is assigned to a specific interface, and that interface ‘goes down’, then the NetLabel service will remove the entry. Therefore ensure that the network startup scripts call }(hjhhhNhNubj)}(h**netlabelctl**h]h netlabelctl}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh$(8) to set the required label (see }(hjhhhNhNubj)}(h**netlabel-config**h]hnetlabel-config}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jhjubh (8) helper script for details).}(hjhhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMEhjubah}(h]h ]h"]h$]h&]uh1jhjubj)}(hThe NetLabel SCTP peer labeling rules apply as discussed in the following set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t. h]h)}(hThe NetLabel SCTP peer labeling rules apply as discussed in the following set of posts tagged "netlabel" at: https://www.paul-moore.com/blog/t.h](hqThe NetLabel SCTP peer labeling rules apply as discussed in the following set of posts tagged “netlabel” at: }(hj@hhhNhNubj)}(h!https://www.paul-moore.com/blog/th]h!https://www.paul-moore.com/blog/t}(hjHhhhNhNubah}(h]h ]h"]h$]h&]refurijJuh1jhj@ubh.}(hj@hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMKhj<ubah}(h]h ]h"]h$]h&]uh1jhjubj)}(hXtCIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)`` CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)`` Note the following when testing CIPSO/CALIPSO: a) CIPSO will send an ICMP packet if an SCTP packet cannot be delivered because of an invalid label. b) CALIPSO does not send an ICMP packet, just silently discards it. h](h)}(hCIPSO is only supported for IPv4 addressing: ``socket(AF_INET, ...)`` CALIPSO is only supported for IPv6 addressing: ``socket(AF_INET6, ...)``h](h-CIPSO is only supported for IPv4 addressing: }(hjkhhhNhNubjL)}(h``socket(AF_INET, ...)``h]hsocket(AF_INET, ...)}(hjshhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjkubh0 CALIPSO is only supported for IPv6 addressing: }(hjkhhhNhNubjL)}(h``socket(AF_INET6, ...)``h]hsocket(AF_INET6, ...)}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1jKhjkubeh}(h]h ]h"]h$]h&]uh1hhhhMNhjgubj4)}(hhh]j9)}(hNote the following when testing CIPSO/CALIPSO: a) CIPSO will send an ICMP packet if an SCTP packet cannot be delivered because of an invalid label. b) CALIPSO does not send an ICMP packet, just silently discards it. h](j?)}(h.Note the following when testing CIPSO/CALIPSO:h]h.Note the following when testing CIPSO/CALIPSO:}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1j>hhhMThjubjO)}(hhh]j)}(hhh](j)}(haCIPSO will send an ICMP packet if an SCTP packet cannot be delivered because of an invalid label.h]h)}(haCIPSO will send an ICMP packet if an SCTP packet cannot be delivered because of an invalid label.h]haCIPSO will send an ICMP packet if an SCTP packet cannot be delivered because of an invalid label.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMRhjubah}(h]h ]h"]h$]h&]uh1jhjubj)}(hACALIPSO does not send an ICMP packet, just silently discards it. h]h)}(h@CALIPSO does not send an ICMP packet, just silently discards it.h]h@CALIPSO does not send an ICMP packet, just silently discards it.}(hjhhhNhNubah}(h]h ]h"]h$]h&]uh1hhhhMThjubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]enumtype loweralphaprefixhsuffix)uh1jhjubah}(h]h ]h"]h$]h&]uh1jNhjubeh}(h]h ]h"]h$]h&]uh1j8hhhMThjubah}(h]h ]h"]h$]h&]uh1j3hjgubeh}(h]h ]h"]h$]h&]uh1jhjubj)}(hIPSEC is not supported as RFC 3554 - sctp/ipsec support has not been implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)), although the kernel supports SCTP/IPSEC.h]h)}(hIPSEC is not supported as RFC 3554 - sctp/ipsec support has not been implemented in userspace (**racoon**\(8) or **ipsec_pluto**\(8)), although the kernel supports SCTP/IPSEC.h](h_IPSEC is not supported as RFC 3554 - sctp/ipsec support has not been implemented in userspace (}(hj hhhNhNubj)}(h **racoon**h]hracoon}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh(8) or }(hj hhhNhNubj)}(h**ipsec_pluto**h]h ipsec_pluto}(hj% hhhNhNubah}(h]h ]h"]h$]h&]uh1jhj ubh/(8)), although the kernel supports SCTP/IPSEC.}(hj hhhNhNubeh}(h]h ]h"]h$]h&]uh1hhhhMVhj ubah}(h]h ]h"]h$]h&]uh1jhjubeh}(h]h ]h"]h$]h&]jarabicjhjjuh1jhj|ubah}(h]h ]h"]h$]h&]uh1jNhjjubeh}(h]h ]h"]h$]h&]uh1j8hhhMWhjgubah}(h]h ]h"]h$]h&]uh1j3hj6hhhNhNubeh}(h]sctp-peer-labelingah ]h"]sctp peer labelingah$]h&]uh1hhjhhhhhM/ubeh}(h]j&ah ]h"]sctp selinux supportah$]h&]uh1hhhhhhhhKjKubeh}(h]sctpah ]h"]sctpah$]h&]uh1hhhhhhhhKubeh}(h]h ]h"]h$]h&]sourcehuh1hcurrent_sourceN current_lineNsettingsdocutils.frontendValues)}(hN generatorN datestampN source_linkN source_urlN toc_backlinksentryfootnote_backlinksK sectnum_xformKstrip_commentsNstrip_elements_with_classesN strip_classesN report_levelK halt_levelKexit_status_levelKdebugNwarning_streamN tracebackinput_encoding utf-8-siginput_encoding_error_handlerstrictoutput_encodingutf-8output_encoding_error_handlerj error_encodingutf-8error_encoding_error_handlerbackslashreplace language_codeenrecord_dependenciesNconfigN id_prefixhauto_id_prefixid dump_settingsNdump_internalsNdump_transformsNdump_pseudo_xmlNexpose_internalsNstrict_visitorN_disable_configN_sourceh _destinationN _config_files]7/var/lib/git/docbuild/linux/Documentation/docutils.confafile_insertion_enabled raw_enabledKline_length_limitM'pep_referencesN pep_base_urlhttps://peps.python.org/pep_file_url_templatepep-%04drfc_referencesN rfc_base_url&https://datatracker.ietf.org/doc/html/ tab_widthKtrim_footnote_reference_spacesyntax_highlightlong smart_quotessmartquotes_locales]character_level_inline_markupdoctitle_xform docinfo_xformKsectsubtitle_xform image_loadinglinkembed_stylesheetcloak_email_addressessection_self_linkenvNubreporterNindirect_targets]substitution_defs}substitution_names}refnames}(sctp selinux support]jasctp lsm support](jjweurefids}nameids}(jp jm jjsecurity hooksNsecurity_sctp_assoc_request()Nsecurity_sctp_bind_connect()Nsecurity_sctp_sk_clone()N!security_sctp_assoc_established()Njjjh j&j3j0ja j^ u nametypes}(jp jj j j j j jjh j3ja uh}(jm hjhjhjj2jojjjujjjjj&jjjj/jjj4j3jjyj8j0jj^ j6u footnote_refs} citation_refs} autofootnotes]autofootnote_refs]symbol_footnotes]symbol_footnote_refs] footnotes] citations]autofootnote_startKsymbol_footnote_startK id_counter collectionsCounter}j KsRparse_messages](hsystem_message)}(hhh]h)}(h1Duplicate implicit target name: "security hooks".h]h5Duplicate implicit target name: “security hooks”.}(hj hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj ubah}(h]h ]h"]h$]h&]jalevelKtypeINFOsourcehlineKuh1j hjhhhhhKubj )}(hhh]h)}(h@Duplicate implicit target name: "security_sctp_assoc_request()".h]hDDuplicate implicit target name: “security_sctp_assoc_request()”.}(hj" hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj ubah}(h]h ]h"]h$]h&]j/alevelKtypej sourcehlineKuh1j hjhhhhhKubj )}(hhh]h)}(h?Duplicate implicit target name: "security_sctp_bind_connect()".h]hCDuplicate implicit target name: “security_sctp_bind_connect()”.}(hj= hhhNhNubah}(h]h ]h"]h$]h&]uh1hhj: ubah}(h]h ]h"]h$]h&]jalevelKtypej sourcehlineKuh1j hj4hhhhhKubj )}(hhh]h)}(h;Duplicate implicit target name: "security_sctp_sk_clone()".h]h?Duplicate implicit target name: “security_sctp_sk_clone()”.}(hjX hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjU ubah}(h]h ]h"]h$]h&]j3alevelKtypej sourcehlineMuh1j hjhhhhhMubj )}(hhh]h)}(hDDuplicate implicit target name: "security_sctp_assoc_established()".h]hHDuplicate implicit target name: “security_sctp_assoc_established()”.}(hjs hhhNhNubah}(h]h ]h"]h$]h&]uh1hhjp ubah}(h]h ]h"]h$]h&]jyalevelKtypej sourcehlineMuh1j hj8hhhhhMubetransform_messages] transformerN include_log] decorationNhhub.