* [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-17 13:58 ` Richard Haines
0 siblings, 0 replies; 18+ messages in thread
From: Richard Haines @ 2017-10-17 13:58 UTC (permalink / raw)
To: linux-security-module
Add security hooks to allow security modules to exercise access control
over SCTP.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
include/net/sctp/structs.h | 10 ++++++++
include/uapi/linux/sctp.h | 1 +
net/sctp/sm_make_chunk.c | 12 +++++++++
net/sctp/sm_statefuns.c | 14 ++++++++++-
net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
5 files changed, 96 insertions(+), 2 deletions(-)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 7767577..6e72e3e 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1270,6 +1270,16 @@ struct sctp_endpoint {
reconf_enable:1;
__u8 strreset_enable;
+
+ /* Security identifiers from incoming (INIT). These are set by
+ * security_sctp_assoc_request(). These will only be used by
+ * SCTP TCP type sockets and peeled off connections as they
+ * cause a new socket to be generated. security_sctp_sk_clone()
+ * will then plug these into the new socket.
+ */
+
+ u32 secid;
+ u32 peer_secid;
};
/* Recover the outter endpoint structure. */
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index 6217ff8..c04812f 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
#define SCTP_RESET_ASSOC 120
#define SCTP_ADD_STREAMS 121
#define SCTP_SOCKOPT_PEELOFF_FLAGS 122
+#define SCTP_SENDMSG_CONNECT 123
/* PR-SCTP policies */
#define SCTP_PR_SCTP_NONE 0x0000
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 6110447..ca4705b 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
if (af->is_any(&addr))
memcpy(&addr, &asconf->source, sizeof(addr));
+ if (security_sctp_bind_connect(asoc->ep->base.sk,
+ SCTP_PARAM_ADD_IP,
+ (struct sockaddr *)&addr,
+ af->sockaddr_len))
+ return SCTP_ERROR_REQ_REFUSED;
+
/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
* request and does not have the local resources to add this
* new address to the association, it MUST return an Error
@@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
if (af->is_any(&addr))
memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
+ if (security_sctp_bind_connect(asoc->ep->base.sk,
+ SCTP_PARAM_SET_PRIMARY,
+ (struct sockaddr *)&addr,
+ af->sockaddr_len))
+ return SCTP_ERROR_REQ_REFUSED;
+
peer = sctp_assoc_lookup_paddr(asoc, &addr);
if (!peer)
return SCTP_ERROR_DNS_FAILED;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index b2a74c3..4ba5805 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
sctp_unrecognized_param_t *unk_param;
int len;
+ /* Update socket peer label if first association. */
+ if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+ chunk->skb, SCTP_CID_INIT))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
* An endpoint MUST NOT bundle INIT, INIT ACK or
* SHUTDOWN COMPLETE with any other chunks.
@@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
}
sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
-
sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
/*
@@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
struct sctp_chunk *err_chunk;
struct sctp_packet *packet;
+ /* Update socket peer label if first association. */
+ if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+ chunk->skb, SCTP_CID_INIT_ACK))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
if (!sctp_vtag_verify(chunk, asoc))
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
@@ -899,6 +908,9 @@ sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
*/
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
+ /* Set peer label for connection. */
+ security_inet_conn_established(ep->base.sk, chunk->skb);
+
/* RFC 2960 5.1 Normal Establishment of an Association
*
* E) Upon reception of the COOKIE ACK, endpoint "A" will move
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 70355a0..e948163 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1014,6 +1014,12 @@ static int sctp_setsockopt_bindx(struct sock *sk,
/* Do the work. */
switch (op) {
case SCTP_BINDX_ADD_ADDR:
+ /* Allow security module to validate bindx addresses. */
+ err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_BINDX_ADD,
+ (struct sockaddr *)kaddrs,
+ addrs_size);
+ if (err)
+ goto out;
err = sctp_bindx_add(sk, kaddrs, addrcnt);
if (err)
goto out;
@@ -1223,6 +1229,7 @@ static int __sctp_connect(struct sock *sk,
if (assoc_id)
*assoc_id = asoc->assoc_id;
+
err = sctp_wait_for_connect(asoc, &timeo);
/* Note: the asoc may be freed after the return of
* sctp_wait_for_connect.
@@ -1336,9 +1343,17 @@ static int __sctp_setsockopt_connectx(struct sock *sk,
if (__copy_from_user(kaddrs, addrs, addrs_size)) {
err = -EFAULT;
} else {
+ /* Allow security module to validate connectx addresses. */
+ err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_CONNECTX,
+ (struct sockaddr *)kaddrs,
+ addrs_size);
+ if (err)
+ goto out_free;
+
err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id);
}
+out_free:
kfree(kaddrs);
return err;
@@ -1604,6 +1619,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
struct sctp_transport *transport, *chunk_tp;
struct sctp_chunk *chunk;
union sctp_addr to;
+ struct sctp_af *af;
struct sockaddr *msg_name = NULL;
struct sctp_sndrcvinfo default_sinfo;
struct sctp_sndrcvinfo *sinfo;
@@ -1833,6 +1849,24 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
}
scope = sctp_scope(&to);
+
+ /* Label connection socket for first association 1-to-many
+ * style for client sequence socket()->sendmsg(). This
+ * needs to be done before sctp_assoc_add_peer() as that will
+ * set up the initial packet that needs to account for any
+ * security ip options (CIPSO/CALIPSO) added to the packet.
+ */
+ af = sctp_get_af_specific(to.sa.sa_family);
+ if (!af) {
+ err = -EINVAL;
+ goto out_unlock;
+ }
+ err = security_sctp_bind_connect(sk, SCTP_SENDMSG_CONNECT,
+ (struct sockaddr *)&to,
+ af->sockaddr_len);
+ if (err < 0)
+ goto out_unlock;
+
new_asoc = sctp_association_new(ep, sk, scope, GFP_KERNEL);
if (!new_asoc) {
err = -ENOMEM;
@@ -2865,6 +2899,8 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval,
{
struct sctp_prim prim;
struct sctp_transport *trans;
+ struct sctp_af *af;
+ int err;
if (optlen != sizeof(struct sctp_prim))
return -EINVAL;
@@ -2872,6 +2908,17 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval,
if (copy_from_user(&prim, optval, sizeof(struct sctp_prim)))
return -EFAULT;
+ /* Allow security module to validate address but need address len. */
+ af = sctp_get_af_specific(prim.ssp_addr.ss_family);
+ if (!af)
+ return -EINVAL;
+
+ err = security_sctp_bind_connect(sk, SCTP_PRIMARY_ADDR,
+ (struct sockaddr *)&prim.ssp_addr,
+ af->sockaddr_len);
+ if (err)
+ return err;
+
trans = sctp_addr_id2transport(sk, &prim.ssp_addr, prim.ssp_assoc_id);
if (!trans)
return -EINVAL;
@@ -3192,6 +3239,13 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva
if (!sctp_assoc_lookup_laddr(asoc, (union sctp_addr *)&prim.sspp_addr))
return -EADDRNOTAVAIL;
+ /* Allow security module to validate address. */
+ err = security_sctp_bind_connect(sk, SCTP_SET_PEER_PRIMARY_ADDR,
+ (struct sockaddr *)&prim.sspp_addr,
+ af->sockaddr_len);
+ if (err)
+ return err;
+
/* Create an ASCONF chunk with SET_PRIMARY parameter */
chunk = sctp_make_asconf_set_prim(asoc,
(union sctp_addr *)&prim.sspp_addr);
@@ -8024,6 +8078,8 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
{
struct inet_sock *inet = inet_sk(sk);
struct inet_sock *newinet;
+ struct sctp_sock *sp = sctp_sk(sk);
+ struct sctp_endpoint *ep = sp->ep;
newsk->sk_type = sk->sk_type;
newsk->sk_bound_dev_if = sk->sk_bound_dev_if;
@@ -8066,7 +8122,10 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
net_enable_timestamp();
- security_sk_clone(sk, newsk);
+ /* Set newsk security attributes from orginal sk and connection
+ * security attribute from ep.
+ */
+ security_sctp_sk_clone(ep, sk, newsk);
}
static inline void sctp_copy_descendant(struct sock *sk_to,
--
2.13.6
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-17 13:58 ` Richard Haines
0 siblings, 0 replies; 18+ messages in thread
From: Richard Haines @ 2017-10-17 13:58 UTC (permalink / raw)
To: linux-security-module
Add security hooks to allow security modules to exercise access control
over SCTP.
Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
include/net/sctp/structs.h | 10 ++++++++
include/uapi/linux/sctp.h | 1 +
net/sctp/sm_make_chunk.c | 12 +++++++++
net/sctp/sm_statefuns.c | 14 ++++++++++-
net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
5 files changed, 96 insertions(+), 2 deletions(-)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 7767577..6e72e3e 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -1270,6 +1270,16 @@ struct sctp_endpoint {
reconf_enable:1;
__u8 strreset_enable;
+
+ /* Security identifiers from incoming (INIT). These are set by
+ * security_sctp_assoc_request(). These will only be used by
+ * SCTP TCP type sockets and peeled off connections as they
+ * cause a new socket to be generated. security_sctp_sk_clone()
+ * will then plug these into the new socket.
+ */
+
+ u32 secid;
+ u32 peer_secid;
};
/* Recover the outter endpoint structure. */
diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
index 6217ff8..c04812f 100644
--- a/include/uapi/linux/sctp.h
+++ b/include/uapi/linux/sctp.h
@@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
#define SCTP_RESET_ASSOC 120
#define SCTP_ADD_STREAMS 121
#define SCTP_SOCKOPT_PEELOFF_FLAGS 122
+#define SCTP_SENDMSG_CONNECT 123
/* PR-SCTP policies */
#define SCTP_PR_SCTP_NONE 0x0000
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index 6110447..ca4705b 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
if (af->is_any(&addr))
memcpy(&addr, &asconf->source, sizeof(addr));
+ if (security_sctp_bind_connect(asoc->ep->base.sk,
+ SCTP_PARAM_ADD_IP,
+ (struct sockaddr *)&addr,
+ af->sockaddr_len))
+ return SCTP_ERROR_REQ_REFUSED;
+
/* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
* request and does not have the local resources to add this
* new address to the association, it MUST return an Error
@@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
if (af->is_any(&addr))
memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
+ if (security_sctp_bind_connect(asoc->ep->base.sk,
+ SCTP_PARAM_SET_PRIMARY,
+ (struct sockaddr *)&addr,
+ af->sockaddr_len))
+ return SCTP_ERROR_REQ_REFUSED;
+
peer = sctp_assoc_lookup_paddr(asoc, &addr);
if (!peer)
return SCTP_ERROR_DNS_FAILED;
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index b2a74c3..4ba5805 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
sctp_unrecognized_param_t *unk_param;
int len;
+ /* Update socket peer label if first association. */
+ if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+ chunk->skb, SCTP_CID_INIT))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
/* 6.10 Bundling
* An endpoint MUST NOT bundle INIT, INIT ACK or
* SHUTDOWN COMPLETE with any other chunks.
@@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
}
sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
-
sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
/*
@@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
struct sctp_chunk *err_chunk;
struct sctp_packet *packet;
+ /* Update socket peer label if first association. */
+ if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
+ chunk->skb, SCTP_CID_INIT_ACK))
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+
if (!sctp_vtag_verify(chunk, asoc))
return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
@@ -899,6 +908,9 @@ sctp_disposition_t sctp_sf_do_5_1E_ca(struct net *net,
*/
sctp_add_cmd_sf(commands, SCTP_CMD_INIT_COUNTER_RESET, SCTP_NULL());
+ /* Set peer label for connection. */
+ security_inet_conn_established(ep->base.sk, chunk->skb);
+
/* RFC 2960 5.1 Normal Establishment of an Association
*
* E) Upon reception of the COOKIE ACK, endpoint "A" will move
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 70355a0..e948163 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1014,6 +1014,12 @@ static int sctp_setsockopt_bindx(struct sock *sk,
/* Do the work. */
switch (op) {
case SCTP_BINDX_ADD_ADDR:
+ /* Allow security module to validate bindx addresses. */
+ err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_BINDX_ADD,
+ (struct sockaddr *)kaddrs,
+ addrs_size);
+ if (err)
+ goto out;
err = sctp_bindx_add(sk, kaddrs, addrcnt);
if (err)
goto out;
@@ -1223,6 +1229,7 @@ static int __sctp_connect(struct sock *sk,
if (assoc_id)
*assoc_id = asoc->assoc_id;
+
err = sctp_wait_for_connect(asoc, &timeo);
/* Note: the asoc may be freed after the return of
* sctp_wait_for_connect.
@@ -1336,9 +1343,17 @@ static int __sctp_setsockopt_connectx(struct sock *sk,
if (__copy_from_user(kaddrs, addrs, addrs_size)) {
err = -EFAULT;
} else {
+ /* Allow security module to validate connectx addresses. */
+ err = security_sctp_bind_connect(sk, SCTP_SOCKOPT_CONNECTX,
+ (struct sockaddr *)kaddrs,
+ addrs_size);
+ if (err)
+ goto out_free;
+
err = __sctp_connect(sk, kaddrs, addrs_size, assoc_id);
}
+out_free:
kfree(kaddrs);
return err;
@@ -1604,6 +1619,7 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
struct sctp_transport *transport, *chunk_tp;
struct sctp_chunk *chunk;
union sctp_addr to;
+ struct sctp_af *af;
struct sockaddr *msg_name = NULL;
struct sctp_sndrcvinfo default_sinfo;
struct sctp_sndrcvinfo *sinfo;
@@ -1833,6 +1849,24 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
}
scope = sctp_scope(&to);
+
+ /* Label connection socket for first association 1-to-many
+ * style for client sequence socket()->sendmsg(). This
+ * needs to be done before sctp_assoc_add_peer() as that will
+ * set up the initial packet that needs to account for any
+ * security ip options (CIPSO/CALIPSO) added to the packet.
+ */
+ af = sctp_get_af_specific(to.sa.sa_family);
+ if (!af) {
+ err = -EINVAL;
+ goto out_unlock;
+ }
+ err = security_sctp_bind_connect(sk, SCTP_SENDMSG_CONNECT,
+ (struct sockaddr *)&to,
+ af->sockaddr_len);
+ if (err < 0)
+ goto out_unlock;
+
new_asoc = sctp_association_new(ep, sk, scope, GFP_KERNEL);
if (!new_asoc) {
err = -ENOMEM;
@@ -2865,6 +2899,8 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval,
{
struct sctp_prim prim;
struct sctp_transport *trans;
+ struct sctp_af *af;
+ int err;
if (optlen != sizeof(struct sctp_prim))
return -EINVAL;
@@ -2872,6 +2908,17 @@ static int sctp_setsockopt_primary_addr(struct sock *sk, char __user *optval,
if (copy_from_user(&prim, optval, sizeof(struct sctp_prim)))
return -EFAULT;
+ /* Allow security module to validate address but need address len. */
+ af = sctp_get_af_specific(prim.ssp_addr.ss_family);
+ if (!af)
+ return -EINVAL;
+
+ err = security_sctp_bind_connect(sk, SCTP_PRIMARY_ADDR,
+ (struct sockaddr *)&prim.ssp_addr,
+ af->sockaddr_len);
+ if (err)
+ return err;
+
trans = sctp_addr_id2transport(sk, &prim.ssp_addr, prim.ssp_assoc_id);
if (!trans)
return -EINVAL;
@@ -3192,6 +3239,13 @@ static int sctp_setsockopt_peer_primary_addr(struct sock *sk, char __user *optva
if (!sctp_assoc_lookup_laddr(asoc, (union sctp_addr *)&prim.sspp_addr))
return -EADDRNOTAVAIL;
+ /* Allow security module to validate address. */
+ err = security_sctp_bind_connect(sk, SCTP_SET_PEER_PRIMARY_ADDR,
+ (struct sockaddr *)&prim.sspp_addr,
+ af->sockaddr_len);
+ if (err)
+ return err;
+
/* Create an ASCONF chunk with SET_PRIMARY parameter */
chunk = sctp_make_asconf_set_prim(asoc,
(union sctp_addr *)&prim.sspp_addr);
@@ -8024,6 +8078,8 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
{
struct inet_sock *inet = inet_sk(sk);
struct inet_sock *newinet;
+ struct sctp_sock *sp = sctp_sk(sk);
+ struct sctp_endpoint *ep = sp->ep;
newsk->sk_type = sk->sk_type;
newsk->sk_bound_dev_if = sk->sk_bound_dev_if;
@@ -8066,7 +8122,10 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
if (newsk->sk_flags & SK_FLAGS_TIMESTAMP)
net_enable_timestamp();
- security_sk_clone(sk, newsk);
+ /* Set newsk security attributes from orginal sk and connection
+ * security attribute from ep.
+ */
+ security_sctp_sk_clone(ep, sk, newsk);
}
static inline void sctp_copy_descendant(struct sock *sk_to,
--
2.13.6
^ permalink raw reply related [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
2017-10-17 13:58 ` Richard Haines
(?)
@ 2017-10-18 15:05 ` Xin Long
-1 siblings, 0 replies; 18+ messages in thread
From: Xin Long @ 2017-10-18 15:05 UTC (permalink / raw)
To: Richard Haines
Cc: selinux, network dev, linux-sctp, linux-security-module, paul,
Vlad Yasevich, Neil Horman, sds, eparis, Marcelo Ricardo Leitner
On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> Add security hooks to allow security modules to exercise access control
> over SCTP.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> include/net/sctp/structs.h | 10 ++++++++
> include/uapi/linux/sctp.h | 1 +
> net/sctp/sm_make_chunk.c | 12 +++++++++
> net/sctp/sm_statefuns.c | 14 ++++++++++-
> net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
> 5 files changed, 96 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> index 7767577..6e72e3e 100644
> --- a/include/net/sctp/structs.h
> +++ b/include/net/sctp/structs.h
> @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> reconf_enable:1;
>
> __u8 strreset_enable;
> +
> + /* Security identifiers from incoming (INIT). These are set by
> + * security_sctp_assoc_request(). These will only be used by
> + * SCTP TCP type sockets and peeled off connections as they
> + * cause a new socket to be generated. security_sctp_sk_clone()
> + * will then plug these into the new socket.
> + */
> +
> + u32 secid;
> + u32 peer_secid;
> };
>
> /* Recover the outter endpoint structure. */
> diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> index 6217ff8..c04812f 100644
> --- a/include/uapi/linux/sctp.h
> +++ b/include/uapi/linux/sctp.h
> @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> #define SCTP_RESET_ASSOC 120
> #define SCTP_ADD_STREAMS 121
> #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> +#define SCTP_SENDMSG_CONNECT 123
>
> /* PR-SCTP policies */
> #define SCTP_PR_SCTP_NONE 0x0000
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 6110447..ca4705b 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> if (af->is_any(&addr))
> memcpy(&addr, &asconf->source, sizeof(addr));
>
> + if (security_sctp_bind_connect(asoc->ep->base.sk,
> + SCTP_PARAM_ADD_IP,
> + (struct sockaddr *)&addr,
> + af->sockaddr_len))
> + return SCTP_ERROR_REQ_REFUSED;
> +
> /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
> * request and does not have the local resources to add this
> * new address to the association, it MUST return an Error
> @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> if (af->is_any(&addr))
> memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
>
> + if (security_sctp_bind_connect(asoc->ep->base.sk,
> + SCTP_PARAM_SET_PRIMARY,
> + (struct sockaddr *)&addr,
> + af->sockaddr_len))
> + return SCTP_ERROR_REQ_REFUSED;
> +
> peer = sctp_assoc_lookup_paddr(asoc, &addr);
> if (!peer)
> return SCTP_ERROR_DNS_FAILED;
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index b2a74c3..4ba5805 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> sctp_unrecognized_param_t *unk_param;
> int len;
>
> + /* Update socket peer label if first association. */
> + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> + chunk->skb, SCTP_CID_INIT))
> + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> +
> /* 6.10 Bundling
> * An endpoint MUST NOT bundle INIT, INIT ACK or
> * SHUTDOWN COMPLETE with any other chunks.
> @@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> }
>
> sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
> -
> sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
>
> /*
> @@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
> struct sctp_chunk *err_chunk;
> struct sctp_packet *packet;
>
> + /* Update socket peer label if first association. */
> + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> + chunk->skb, SCTP_CID_INIT_ACK))
> + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> +
Just thinking security_sctp_assoc_request hook should also be in
sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
^ permalink raw reply [flat|nested] 18+ messages in thread
* [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-18 15:05 ` Xin Long
0 siblings, 0 replies; 18+ messages in thread
From: Xin Long @ 2017-10-18 15:05 UTC (permalink / raw)
To: linux-security-module
On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> Add security hooks to allow security modules to exercise access control
> over SCTP.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> include/net/sctp/structs.h | 10 ++++++++
> include/uapi/linux/sctp.h | 1 +
> net/sctp/sm_make_chunk.c | 12 +++++++++
> net/sctp/sm_statefuns.c | 14 ++++++++++-
> net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
> 5 files changed, 96 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> index 7767577..6e72e3e 100644
> --- a/include/net/sctp/structs.h
> +++ b/include/net/sctp/structs.h
> @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> reconf_enable:1;
>
> __u8 strreset_enable;
> +
> + /* Security identifiers from incoming (INIT). These are set by
> + * security_sctp_assoc_request(). These will only be used by
> + * SCTP TCP type sockets and peeled off connections as they
> + * cause a new socket to be generated. security_sctp_sk_clone()
> + * will then plug these into the new socket.
> + */
> +
> + u32 secid;
> + u32 peer_secid;
> };
>
> /* Recover the outter endpoint structure. */
> diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> index 6217ff8..c04812f 100644
> --- a/include/uapi/linux/sctp.h
> +++ b/include/uapi/linux/sctp.h
> @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> #define SCTP_RESET_ASSOC 120
> #define SCTP_ADD_STREAMS 121
> #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> +#define SCTP_SENDMSG_CONNECT 123
>
> /* PR-SCTP policies */
> #define SCTP_PR_SCTP_NONE 0x0000
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 6110447..ca4705b 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> if (af->is_any(&addr))
> memcpy(&addr, &asconf->source, sizeof(addr));
>
> + if (security_sctp_bind_connect(asoc->ep->base.sk,
> + SCTP_PARAM_ADD_IP,
> + (struct sockaddr *)&addr,
> + af->sockaddr_len))
> + return SCTP_ERROR_REQ_REFUSED;
> +
> /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
> * request and does not have the local resources to add this
> * new address to the association, it MUST return an Error
> @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> if (af->is_any(&addr))
> memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
>
> + if (security_sctp_bind_connect(asoc->ep->base.sk,
> + SCTP_PARAM_SET_PRIMARY,
> + (struct sockaddr *)&addr,
> + af->sockaddr_len))
> + return SCTP_ERROR_REQ_REFUSED;
> +
> peer = sctp_assoc_lookup_paddr(asoc, &addr);
> if (!peer)
> return SCTP_ERROR_DNS_FAILED;
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index b2a74c3..4ba5805 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> sctp_unrecognized_param_t *unk_param;
> int len;
>
> + /* Update socket peer label if first association. */
> + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> + chunk->skb, SCTP_CID_INIT))
> + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> +
> /* 6.10 Bundling
> * An endpoint MUST NOT bundle INIT, INIT ACK or
> * SHUTDOWN COMPLETE with any other chunks.
> @@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> }
>
> sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
> -
> sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
>
> /*
> @@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
> struct sctp_chunk *err_chunk;
> struct sctp_packet *packet;
>
> + /* Update socket peer label if first association. */
> + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> + chunk->skb, SCTP_CID_INIT_ACK))
> + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> +
Just thinking security_sctp_assoc_request hook should also be in
sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-18 15:05 ` Xin Long
0 siblings, 0 replies; 18+ messages in thread
From: Xin Long @ 2017-10-18 15:05 UTC (permalink / raw)
To: linux-security-module
On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> Add security hooks to allow security modules to exercise access control
> over SCTP.
>
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> include/net/sctp/structs.h | 10 ++++++++
> include/uapi/linux/sctp.h | 1 +
> net/sctp/sm_make_chunk.c | 12 +++++++++
> net/sctp/sm_statefuns.c | 14 ++++++++++-
> net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
> 5 files changed, 96 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> index 7767577..6e72e3e 100644
> --- a/include/net/sctp/structs.h
> +++ b/include/net/sctp/structs.h
> @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> reconf_enable:1;
>
> __u8 strreset_enable;
> +
> + /* Security identifiers from incoming (INIT). These are set by
> + * security_sctp_assoc_request(). These will only be used by
> + * SCTP TCP type sockets and peeled off connections as they
> + * cause a new socket to be generated. security_sctp_sk_clone()
> + * will then plug these into the new socket.
> + */
> +
> + u32 secid;
> + u32 peer_secid;
> };
>
> /* Recover the outter endpoint structure. */
> diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> index 6217ff8..c04812f 100644
> --- a/include/uapi/linux/sctp.h
> +++ b/include/uapi/linux/sctp.h
> @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> #define SCTP_RESET_ASSOC 120
> #define SCTP_ADD_STREAMS 121
> #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> +#define SCTP_SENDMSG_CONNECT 123
>
> /* PR-SCTP policies */
> #define SCTP_PR_SCTP_NONE 0x0000
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index 6110447..ca4705b 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> if (af->is_any(&addr))
> memcpy(&addr, &asconf->source, sizeof(addr));
>
> + if (security_sctp_bind_connect(asoc->ep->base.sk,
> + SCTP_PARAM_ADD_IP,
> + (struct sockaddr *)&addr,
> + af->sockaddr_len))
> + return SCTP_ERROR_REQ_REFUSED;
> +
> /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
> * request and does not have the local resources to add this
> * new address to the association, it MUST return an Error
> @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> if (af->is_any(&addr))
> memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
>
> + if (security_sctp_bind_connect(asoc->ep->base.sk,
> + SCTP_PARAM_SET_PRIMARY,
> + (struct sockaddr *)&addr,
> + af->sockaddr_len))
> + return SCTP_ERROR_REQ_REFUSED;
> +
> peer = sctp_assoc_lookup_paddr(asoc, &addr);
> if (!peer)
> return SCTP_ERROR_DNS_FAILED;
> diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> index b2a74c3..4ba5805 100644
> --- a/net/sctp/sm_statefuns.c
> +++ b/net/sctp/sm_statefuns.c
> @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> sctp_unrecognized_param_t *unk_param;
> int len;
>
> + /* Update socket peer label if first association. */
> + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> + chunk->skb, SCTP_CID_INIT))
> + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> +
> /* 6.10 Bundling
> * An endpoint MUST NOT bundle INIT, INIT ACK or
> * SHUTDOWN COMPLETE with any other chunks.
> @@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> }
>
> sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
> -
> sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
>
> /*
> @@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
> struct sctp_chunk *err_chunk;
> struct sctp_packet *packet;
>
> + /* Update socket peer label if first association. */
> + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> + chunk->skb, SCTP_CID_INIT_ACK))
> + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> +
Just thinking security_sctp_assoc_request hook should also be in
sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
2017-10-18 15:05 ` Xin Long
(?)
@ 2017-10-20 11:16 ` Neil Horman
-1 siblings, 0 replies; 18+ messages in thread
From: Neil Horman @ 2017-10-20 11:16 UTC (permalink / raw)
To: Xin Long
Cc: Richard Haines, selinux, network dev, linux-sctp,
linux-security-module, paul, Vlad Yasevich, sds, eparis,
Marcelo Ricardo Leitner
On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > Add security hooks to allow security modules to exercise access control
> > over SCTP.
> >
> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > ---
> > include/net/sctp/structs.h | 10 ++++++++
> > include/uapi/linux/sctp.h | 1 +
> > net/sctp/sm_make_chunk.c | 12 +++++++++
> > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
> > 5 files changed, 96 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> > index 7767577..6e72e3e 100644
> > --- a/include/net/sctp/structs.h
> > +++ b/include/net/sctp/structs.h
> > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > reconf_enable:1;
> >
> > __u8 strreset_enable;
> > +
> > + /* Security identifiers from incoming (INIT). These are set by
> > + * security_sctp_assoc_request(). These will only be used by
> > + * SCTP TCP type sockets and peeled off connections as they
> > + * cause a new socket to be generated. security_sctp_sk_clone()
> > + * will then plug these into the new socket.
> > + */
> > +
> > + u32 secid;
> > + u32 peer_secid;
> > };
> >
> > /* Recover the outter endpoint structure. */
> > diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> > index 6217ff8..c04812f 100644
> > --- a/include/uapi/linux/sctp.h
> > +++ b/include/uapi/linux/sctp.h
> > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > #define SCTP_RESET_ASSOC 120
> > #define SCTP_ADD_STREAMS 121
> > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > +#define SCTP_SENDMSG_CONNECT 123
> >
> > /* PR-SCTP policies */
> > #define SCTP_PR_SCTP_NONE 0x0000
> > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> > index 6110447..ca4705b 100644
> > --- a/net/sctp/sm_make_chunk.c
> > +++ b/net/sctp/sm_make_chunk.c
> > @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> > if (af->is_any(&addr))
> > memcpy(&addr, &asconf->source, sizeof(addr));
> >
> > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > + SCTP_PARAM_ADD_IP,
> > + (struct sockaddr *)&addr,
> > + af->sockaddr_len))
> > + return SCTP_ERROR_REQ_REFUSED;
> > +
> > /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
> > * request and does not have the local resources to add this
> > * new address to the association, it MUST return an Error
> > @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> > if (af->is_any(&addr))
> > memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
> >
> > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > + SCTP_PARAM_SET_PRIMARY,
> > + (struct sockaddr *)&addr,
> > + af->sockaddr_len))
> > + return SCTP_ERROR_REQ_REFUSED;
> > +
> > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > if (!peer)
> > return SCTP_ERROR_DNS_FAILED;
> > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> > index b2a74c3..4ba5805 100644
> > --- a/net/sctp/sm_statefuns.c
> > +++ b/net/sctp/sm_statefuns.c
> > @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> > sctp_unrecognized_param_t *unk_param;
> > int len;
> >
> > + /* Update socket peer label if first association. */
> > + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> > + chunk->skb, SCTP_CID_INIT))
> > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> > +
> > /* 6.10 Bundling
> > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > * SHUTDOWN COMPLETE with any other chunks.
> > @@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> > }
> >
> > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
> > -
> > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
> >
> > /*
> > @@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
> > struct sctp_chunk *err_chunk;
> > struct sctp_packet *packet;
> >
> > + /* Update socket peer label if first association. */
> > + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> > + chunk->skb, SCTP_CID_INIT_ACK))
> > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> > +
> Just thinking security_sctp_assoc_request hook should also be in
> sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
I agree, i think if this hook is gating on the creation of a new association,
they should be in all the locations where that happens
Neil
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-20 11:16 ` Neil Horman
0 siblings, 0 replies; 18+ messages in thread
From: Neil Horman @ 2017-10-20 11:16 UTC (permalink / raw)
To: linux-security-module
On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > Add security hooks to allow security modules to exercise access control
> > over SCTP.
> >
> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > ---
> > include/net/sctp/structs.h | 10 ++++++++
> > include/uapi/linux/sctp.h | 1 +
> > net/sctp/sm_make_chunk.c | 12 +++++++++
> > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
> > 5 files changed, 96 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> > index 7767577..6e72e3e 100644
> > --- a/include/net/sctp/structs.h
> > +++ b/include/net/sctp/structs.h
> > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > reconf_enable:1;
> >
> > __u8 strreset_enable;
> > +
> > + /* Security identifiers from incoming (INIT). These are set by
> > + * security_sctp_assoc_request(). These will only be used by
> > + * SCTP TCP type sockets and peeled off connections as they
> > + * cause a new socket to be generated. security_sctp_sk_clone()
> > + * will then plug these into the new socket.
> > + */
> > +
> > + u32 secid;
> > + u32 peer_secid;
> > };
> >
> > /* Recover the outter endpoint structure. */
> > diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> > index 6217ff8..c04812f 100644
> > --- a/include/uapi/linux/sctp.h
> > +++ b/include/uapi/linux/sctp.h
> > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > #define SCTP_RESET_ASSOC 120
> > #define SCTP_ADD_STREAMS 121
> > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > +#define SCTP_SENDMSG_CONNECT 123
> >
> > /* PR-SCTP policies */
> > #define SCTP_PR_SCTP_NONE 0x0000
> > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> > index 6110447..ca4705b 100644
> > --- a/net/sctp/sm_make_chunk.c
> > +++ b/net/sctp/sm_make_chunk.c
> > @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> > if (af->is_any(&addr))
> > memcpy(&addr, &asconf->source, sizeof(addr));
> >
> > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > + SCTP_PARAM_ADD_IP,
> > + (struct sockaddr *)&addr,
> > + af->sockaddr_len))
> > + return SCTP_ERROR_REQ_REFUSED;
> > +
> > /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
> > * request and does not have the local resources to add this
> > * new address to the association, it MUST return an Error
> > @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> > if (af->is_any(&addr))
> > memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
> >
> > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > + SCTP_PARAM_SET_PRIMARY,
> > + (struct sockaddr *)&addr,
> > + af->sockaddr_len))
> > + return SCTP_ERROR_REQ_REFUSED;
> > +
> > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > if (!peer)
> > return SCTP_ERROR_DNS_FAILED;
> > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> > index b2a74c3..4ba5805 100644
> > --- a/net/sctp/sm_statefuns.c
> > +++ b/net/sctp/sm_statefuns.c
> > @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> > sctp_unrecognized_param_t *unk_param;
> > int len;
> >
> > + /* Update socket peer label if first association. */
> > + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> > + chunk->skb, SCTP_CID_INIT))
> > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> > +
> > /* 6.10 Bundling
> > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > * SHUTDOWN COMPLETE with any other chunks.
> > @@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> > }
> >
> > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
> > -
> > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
> >
> > /*
> > @@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
> > struct sctp_chunk *err_chunk;
> > struct sctp_packet *packet;
> >
> > + /* Update socket peer label if first association. */
> > + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> > + chunk->skb, SCTP_CID_INIT_ACK))
> > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> > +
> Just thinking security_sctp_assoc_request hook should also be in
> sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
I agree, i think if this hook is gating on the creation of a new association,
they should be in all the locations where that happens
Neil
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-20 11:16 ` Neil Horman
0 siblings, 0 replies; 18+ messages in thread
From: Neil Horman @ 2017-10-20 11:16 UTC (permalink / raw)
To: linux-security-module
On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > Add security hooks to allow security modules to exercise access control
> > over SCTP.
> >
> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > ---
> > include/net/sctp/structs.h | 10 ++++++++
> > include/uapi/linux/sctp.h | 1 +
> > net/sctp/sm_make_chunk.c | 12 +++++++++
> > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > net/sctp/socket.c | 61 +++++++++++++++++++++++++++++++++++++++++++++-
> > 5 files changed, 96 insertions(+), 2 deletions(-)
> >
> > diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
> > index 7767577..6e72e3e 100644
> > --- a/include/net/sctp/structs.h
> > +++ b/include/net/sctp/structs.h
> > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > reconf_enable:1;
> >
> > __u8 strreset_enable;
> > +
> > + /* Security identifiers from incoming (INIT). These are set by
> > + * security_sctp_assoc_request(). These will only be used by
> > + * SCTP TCP type sockets and peeled off connections as they
> > + * cause a new socket to be generated. security_sctp_sk_clone()
> > + * will then plug these into the new socket.
> > + */
> > +
> > + u32 secid;
> > + u32 peer_secid;
> > };
> >
> > /* Recover the outter endpoint structure. */
> > diff --git a/include/uapi/linux/sctp.h b/include/uapi/linux/sctp.h
> > index 6217ff8..c04812f 100644
> > --- a/include/uapi/linux/sctp.h
> > +++ b/include/uapi/linux/sctp.h
> > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > #define SCTP_RESET_ASSOC 120
> > #define SCTP_ADD_STREAMS 121
> > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > +#define SCTP_SENDMSG_CONNECT 123
> >
> > /* PR-SCTP policies */
> > #define SCTP_PR_SCTP_NONE 0x0000
> > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> > index 6110447..ca4705b 100644
> > --- a/net/sctp/sm_make_chunk.c
> > +++ b/net/sctp/sm_make_chunk.c
> > @@ -3059,6 +3059,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> > if (af->is_any(&addr))
> > memcpy(&addr, &asconf->source, sizeof(addr));
> >
> > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > + SCTP_PARAM_ADD_IP,
> > + (struct sockaddr *)&addr,
> > + af->sockaddr_len))
> > + return SCTP_ERROR_REQ_REFUSED;
> > +
> > /* ADDIP 4.3 D9) If an endpoint receives an ADD IP address
> > * request and does not have the local resources to add this
> > * new address to the association, it MUST return an Error
> > @@ -3125,6 +3131,12 @@ static __be16 sctp_process_asconf_param(struct sctp_association *asoc,
> > if (af->is_any(&addr))
> > memcpy(&addr.v4, sctp_source(asconf), sizeof(addr));
> >
> > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > + SCTP_PARAM_SET_PRIMARY,
> > + (struct sockaddr *)&addr,
> > + af->sockaddr_len))
> > + return SCTP_ERROR_REQ_REFUSED;
> > +
> > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > if (!peer)
> > return SCTP_ERROR_DNS_FAILED;
> > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> > index b2a74c3..4ba5805 100644
> > --- a/net/sctp/sm_statefuns.c
> > +++ b/net/sctp/sm_statefuns.c
> > @@ -314,6 +314,11 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> > sctp_unrecognized_param_t *unk_param;
> > int len;
> >
> > + /* Update socket peer label if first association. */
> > + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> > + chunk->skb, SCTP_CID_INIT))
> > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> > +
> > /* 6.10 Bundling
> > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > * SHUTDOWN COMPLETE with any other chunks.
> > @@ -446,7 +451,6 @@ sctp_disposition_t sctp_sf_do_5_1B_init(struct net *net,
> > }
> >
> > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC, SCTP_ASOC(new_asoc));
> > -
> > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(repl));
> >
> > /*
> > @@ -507,6 +511,11 @@ sctp_disposition_t sctp_sf_do_5_1C_ack(struct net *net,
> > struct sctp_chunk *err_chunk;
> > struct sctp_packet *packet;
> >
> > + /* Update socket peer label if first association. */
> > + if (security_sctp_assoc_request((struct sctp_endpoint *)ep,
> > + chunk->skb, SCTP_CID_INIT_ACK))
> > + return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
> > +
> Just thinking security_sctp_assoc_request hook should also be in
> sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
I agree, i think if this hook is gating on the creation of a new association,
they should be in all the locations where that happens
Neil
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
2017-10-20 11:16 ` Neil Horman
(?)
@ 2017-10-20 12:04 ` Richard Haines
-1 siblings, 0 replies; 18+ messages in thread
From: Richard Haines @ 2017-10-20 12:04 UTC (permalink / raw)
To: Neil Horman, Xin Long
Cc: selinux, network dev, linux-sctp, linux-security-module
On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > > Add security hooks to allow security modules to exercise access
> > > control
> > > over SCTP.
> > >
> > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > > ---
> > > include/net/sctp/structs.h | 10 ++++++++
> > > include/uapi/linux/sctp.h | 1 +
> > > net/sctp/sm_make_chunk.c | 12 +++++++++
> > > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > > net/sctp/socket.c | 61
> > > +++++++++++++++++++++++++++++++++++++++++++++-
> > > 5 files changed, 96 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/net/sctp/structs.h
> > > b/include/net/sctp/structs.h
> > > index 7767577..6e72e3e 100644
> > > --- a/include/net/sctp/structs.h
> > > +++ b/include/net/sctp/structs.h
> > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > > reconf_enable:1;
> > >
> > > __u8 strreset_enable;
> > > +
> > > + /* Security identifiers from incoming (INIT). These are
> > > set by
> > > + * security_sctp_assoc_request(). These will only be used
> > > by
> > > + * SCTP TCP type sockets and peeled off connections as
> > > they
> > > + * cause a new socket to be generated.
> > > security_sctp_sk_clone()
> > > + * will then plug these into the new socket.
> > > + */
> > > +
> > > + u32 secid;
> > > + u32 peer_secid;
> > > };
> > >
> > > /* Recover the outter endpoint structure. */
> > > diff --git a/include/uapi/linux/sctp.h
> > > b/include/uapi/linux/sctp.h
> > > index 6217ff8..c04812f 100644
> > > --- a/include/uapi/linux/sctp.h
> > > +++ b/include/uapi/linux/sctp.h
> > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > > #define SCTP_RESET_ASSOC 120
> > > #define SCTP_ADD_STREAMS 121
> > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > > +#define SCTP_SENDMSG_CONNECT 123
> > >
> > > /* PR-SCTP policies */
> > > #define SCTP_PR_SCTP_NONE 0x0000
> > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> > > index 6110447..ca4705b 100644
> > > --- a/net/sctp/sm_make_chunk.c
> > > +++ b/net/sctp/sm_make_chunk.c
> > > @@ -3059,6 +3059,12 @@ static __be16
> > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > if (af->is_any(&addr))
> > > memcpy(&addr, &asconf->source,
> > > sizeof(addr));
> > >
> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > > + SCTP_PARAM_ADD_IP,
> > > + (struct sockaddr
> > > *)&addr,
> > > + af->sockaddr_len))
> > > + return SCTP_ERROR_REQ_REFUSED;
> > > +
> > > /* ADDIP 4.3 D9) If an endpoint receives an ADD
> > > IP address
> > > * request and does not have the local resources
> > > to add this
> > > * new address to the association, it MUST return
> > > an Error
> > > @@ -3125,6 +3131,12 @@ static __be16
> > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > if (af->is_any(&addr))
> > > memcpy(&addr.v4, sctp_source(asconf),
> > > sizeof(addr));
> > >
> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > > + SCTP_PARAM_SET_PRI
> > > MARY,
> > > + (struct sockaddr
> > > *)&addr,
> > > + af->sockaddr_len))
> > > + return SCTP_ERROR_REQ_REFUSED;
> > > +
> > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > > if (!peer)
> > > return SCTP_ERROR_DNS_FAILED;
> > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> > > index b2a74c3..4ba5805 100644
> > > --- a/net/sctp/sm_statefuns.c
> > > +++ b/net/sctp/sm_statefuns.c
> > > @@ -314,6 +314,11 @@ sctp_disposition_t
> > > sctp_sf_do_5_1B_init(struct net *net,
> > > sctp_unrecognized_param_t *unk_param;
> > > int len;
> > >
> > > + /* Update socket peer label if first association. */
> > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > *)ep,
> > > + chunk->skb,
> > > SCTP_CID_INIT))
> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
> > > commands);
> > > +
> > > /* 6.10 Bundling
> > > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > > * SHUTDOWN COMPLETE with any other chunks.
> > > @@ -446,7 +451,6 @@ sctp_disposition_t
> > > sctp_sf_do_5_1B_init(struct net *net,
> > > }
> > >
> > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
> > > SCTP_ASOC(new_asoc));
> > > -
> > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
> > > SCTP_CHUNK(repl));
> > >
> > > /*
> > > @@ -507,6 +511,11 @@ sctp_disposition_t
> > > sctp_sf_do_5_1C_ack(struct net *net,
> > > struct sctp_chunk *err_chunk;
> > > struct sctp_packet *packet;
> > >
> > > + /* Update socket peer label if first association. */
> > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > *)ep,
> > > + chunk->skb,
> > > SCTP_CID_INIT_ACK))
> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
> > > commands);
> > > +
> >
> > Just thinking security_sctp_assoc_request hook should also be in
> > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
>
> I agree, i think if this hook is gating on the creation of a new
> association,
> they should be in all the locations where that happens
> Neil
Thanks for the comments. I've just added the hook as requested for my
next update, however I have not managed to trigger these areas using
the lksctp-tools tests. Can you suggest any suitable tools for testing
these scenarios.
Thanks
Richard
>
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> > sctp" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-20 12:04 ` Richard Haines
0 siblings, 0 replies; 18+ messages in thread
From: Richard Haines @ 2017-10-20 12:04 UTC (permalink / raw)
To: linux-security-module
On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > > Add security hooks to allow security modules to exercise access
> > > control
> > > over SCTP.
> > >
> > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > > ---
> > > include/net/sctp/structs.h | 10 ++++++++
> > > include/uapi/linux/sctp.h | 1 +
> > > net/sctp/sm_make_chunk.c | 12 +++++++++
> > > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > > net/sctp/socket.c | 61
> > > +++++++++++++++++++++++++++++++++++++++++++++-
> > > 5 files changed, 96 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/net/sctp/structs.h
> > > b/include/net/sctp/structs.h
> > > index 7767577..6e72e3e 100644
> > > --- a/include/net/sctp/structs.h
> > > +++ b/include/net/sctp/structs.h
> > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > > reconf_enable:1;
> > >
> > > __u8 strreset_enable;
> > > +
> > > + /* Security identifiers from incoming (INIT). These are
> > > set by
> > > + * security_sctp_assoc_request(). These will only be used
> > > by
> > > + * SCTP TCP type sockets and peeled off connections as
> > > they
> > > + * cause a new socket to be generated.
> > > security_sctp_sk_clone()
> > > + * will then plug these into the new socket.
> > > + */
> > > +
> > > + u32 secid;
> > > + u32 peer_secid;
> > > };
> > >
> > > /* Recover the outter endpoint structure. */
> > > diff --git a/include/uapi/linux/sctp.h
> > > b/include/uapi/linux/sctp.h
> > > index 6217ff8..c04812f 100644
> > > --- a/include/uapi/linux/sctp.h
> > > +++ b/include/uapi/linux/sctp.h
> > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > > #define SCTP_RESET_ASSOC 120
> > > #define SCTP_ADD_STREAMS 121
> > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > > +#define SCTP_SENDMSG_CONNECT 123
> > >
> > > /* PR-SCTP policies */
> > > #define SCTP_PR_SCTP_NONE 0x0000
> > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> > > index 6110447..ca4705b 100644
> > > --- a/net/sctp/sm_make_chunk.c
> > > +++ b/net/sctp/sm_make_chunk.c
> > > @@ -3059,6 +3059,12 @@ static __be16
> > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > if (af->is_any(&addr))
> > > memcpy(&addr, &asconf->source,
> > > sizeof(addr));
> > >
> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > > + SCTP_PARAM_ADD_IP,
> > > + (struct sockaddr
> > > *)&addr,
> > > + af->sockaddr_len))
> > > + return SCTP_ERROR_REQ_REFUSED;
> > > +
> > > /* ADDIP 4.3 D9) If an endpoint receives an ADD
> > > IP address
> > > * request and does not have the local resources
> > > to add this
> > > * new address to the association, it MUST return
> > > an Error
> > > @@ -3125,6 +3131,12 @@ static __be16
> > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > if (af->is_any(&addr))
> > > memcpy(&addr.v4, sctp_source(asconf),
> > > sizeof(addr));
> > >
> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > > + SCTP_PARAM_SET_PRI
> > > MARY,
> > > + (struct sockaddr
> > > *)&addr,
> > > + af->sockaddr_len))
> > > + return SCTP_ERROR_REQ_REFUSED;
> > > +
> > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > > if (!peer)
> > > return SCTP_ERROR_DNS_FAILED;
> > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> > > index b2a74c3..4ba5805 100644
> > > --- a/net/sctp/sm_statefuns.c
> > > +++ b/net/sctp/sm_statefuns.c
> > > @@ -314,6 +314,11 @@ sctp_disposition_t
> > > sctp_sf_do_5_1B_init(struct net *net,
> > > sctp_unrecognized_param_t *unk_param;
> > > int len;
> > >
> > > + /* Update socket peer label if first association. */
> > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > *)ep,
> > > + chunk->skb,
> > > SCTP_CID_INIT))
> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
> > > commands);
> > > +
> > > /* 6.10 Bundling
> > > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > > * SHUTDOWN COMPLETE with any other chunks.
> > > @@ -446,7 +451,6 @@ sctp_disposition_t
> > > sctp_sf_do_5_1B_init(struct net *net,
> > > }
> > >
> > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
> > > SCTP_ASOC(new_asoc));
> > > -
> > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
> > > SCTP_CHUNK(repl));
> > >
> > > /*
> > > @@ -507,6 +511,11 @@ sctp_disposition_t
> > > sctp_sf_do_5_1C_ack(struct net *net,
> > > struct sctp_chunk *err_chunk;
> > > struct sctp_packet *packet;
> > >
> > > + /* Update socket peer label if first association. */
> > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > *)ep,
> > > + chunk->skb,
> > > SCTP_CID_INIT_ACK))
> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
> > > commands);
> > > +
> >
> > Just thinking security_sctp_assoc_request hook should also be in
> > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
>
> I agree, i think if this hook is gating on the creation of a new
> association,
> they should be in all the locations where that happens
> Neil
Thanks for the comments. I've just added the hook as requested for my
next update, however I have not managed to trigger these areas using
the lksctp-tools tests. Can you suggest any suitable tools for testing
these scenarios.
Thanks
Richard
>
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> > sctp" in
> > the body of a message to majordomo at vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp"
> in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-20 12:04 ` Richard Haines
0 siblings, 0 replies; 18+ messages in thread
From: Richard Haines @ 2017-10-20 12:04 UTC (permalink / raw)
To: linux-security-module
On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > <richard_c_haines@btinternet.com> wrote:
> > > Add security hooks to allow security modules to exercise access
> > > control
> > > over SCTP.
> > >
> > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > > ---
> > > include/net/sctp/structs.h | 10 ++++++++
> > > include/uapi/linux/sctp.h | 1 +
> > > net/sctp/sm_make_chunk.c | 12 +++++++++
> > > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > > net/sctp/socket.c | 61
> > > +++++++++++++++++++++++++++++++++++++++++++++-
> > > 5 files changed, 96 insertions(+), 2 deletions(-)
> > >
> > > diff --git a/include/net/sctp/structs.h
> > > b/include/net/sctp/structs.h
> > > index 7767577..6e72e3e 100644
> > > --- a/include/net/sctp/structs.h
> > > +++ b/include/net/sctp/structs.h
> > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > > reconf_enable:1;
> > >
> > > __u8 strreset_enable;
> > > +
> > > + /* Security identifiers from incoming (INIT). These are
> > > set by
> > > + * security_sctp_assoc_request(). These will only be used
> > > by
> > > + * SCTP TCP type sockets and peeled off connections as
> > > they
> > > + * cause a new socket to be generated.
> > > security_sctp_sk_clone()
> > > + * will then plug these into the new socket.
> > > + */
> > > +
> > > + u32 secid;
> > > + u32 peer_secid;
> > > };
> > >
> > > /* Recover the outter endpoint structure. */
> > > diff --git a/include/uapi/linux/sctp.h
> > > b/include/uapi/linux/sctp.h
> > > index 6217ff8..c04812f 100644
> > > --- a/include/uapi/linux/sctp.h
> > > +++ b/include/uapi/linux/sctp.h
> > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > > #define SCTP_RESET_ASSOC 120
> > > #define SCTP_ADD_STREAMS 121
> > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > > +#define SCTP_SENDMSG_CONNECT 123
> > >
> > > /* PR-SCTP policies */
> > > #define SCTP_PR_SCTP_NONE 0x0000
> > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> > > index 6110447..ca4705b 100644
> > > --- a/net/sctp/sm_make_chunk.c
> > > +++ b/net/sctp/sm_make_chunk.c
> > > @@ -3059,6 +3059,12 @@ static __be16
> > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > if (af->is_any(&addr))
> > > memcpy(&addr, &asconf->source,
> > > sizeof(addr));
> > >
> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > > + SCTP_PARAM_ADD_IP,
> > > + (struct sockaddr
> > > *)&addr,
> > > + af->sockaddr_len))
> > > + return SCTP_ERROR_REQ_REFUSED;
> > > +
> > > /* ADDIP 4.3 D9) If an endpoint receives an ADD
> > > IP address
> > > * request and does not have the local resources
> > > to add this
> > > * new address to the association, it MUST return
> > > an Error
> > > @@ -3125,6 +3131,12 @@ static __be16
> > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > if (af->is_any(&addr))
> > > memcpy(&addr.v4, sctp_source(asconf),
> > > sizeof(addr));
> > >
> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
> > > + SCTP_PARAM_SET_PRI
> > > MARY,
> > > + (struct sockaddr
> > > *)&addr,
> > > + af->sockaddr_len))
> > > + return SCTP_ERROR_REQ_REFUSED;
> > > +
> > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > > if (!peer)
> > > return SCTP_ERROR_DNS_FAILED;
> > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
> > > index b2a74c3..4ba5805 100644
> > > --- a/net/sctp/sm_statefuns.c
> > > +++ b/net/sctp/sm_statefuns.c
> > > @@ -314,6 +314,11 @@ sctp_disposition_t
> > > sctp_sf_do_5_1B_init(struct net *net,
> > > sctp_unrecognized_param_t *unk_param;
> > > int len;
> > >
> > > + /* Update socket peer label if first association. */
> > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > *)ep,
> > > + chunk->skb,
> > > SCTP_CID_INIT))
> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
> > > commands);
> > > +
> > > /* 6.10 Bundling
> > > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > > * SHUTDOWN COMPLETE with any other chunks.
> > > @@ -446,7 +451,6 @@ sctp_disposition_t
> > > sctp_sf_do_5_1B_init(struct net *net,
> > > }
> > >
> > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
> > > SCTP_ASOC(new_asoc));
> > > -
> > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
> > > SCTP_CHUNK(repl));
> > >
> > > /*
> > > @@ -507,6 +511,11 @@ sctp_disposition_t
> > > sctp_sf_do_5_1C_ack(struct net *net,
> > > struct sctp_chunk *err_chunk;
> > > struct sctp_packet *packet;
> > >
> > > + /* Update socket peer label if first association. */
> > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > *)ep,
> > > + chunk->skb,
> > > SCTP_CID_INIT_ACK))
> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
> > > commands);
> > > +
> >
> > Just thinking security_sctp_assoc_request hook should also be in
> > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
>
> I agree, i think if this hook is gating on the creation of a new
> association,
> they should be in all the locations where that happens
> Neil
Thanks for the comments. I've just added the hook as requested for my
next update, however I have not managed to trigger these areas using
the lksctp-tools tests. Can you suggest any suitable tools for testing
these scenarios.
Thanks
Richard
>
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-
> > sctp" in
> > the body of a message to majordomo@vger.kernel.org
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
> >
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp"
> in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
2017-10-20 12:04 ` Richard Haines
(?)
@ 2017-10-20 13:14 ` Xin Long
-1 siblings, 0 replies; 18+ messages in thread
From: Xin Long @ 2017-10-20 13:14 UTC (permalink / raw)
To: Richard Haines
Cc: Neil Horman, selinux, network dev, linux-sctp, linux-security-module
On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
>> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
>> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
>> > <richard_c_haines@btinternet.com> wrote:
>> > > Add security hooks to allow security modules to exercise access
>> > > control
>> > > over SCTP.
>> > >
>> > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
>> > > ---
>> > > include/net/sctp/structs.h | 10 ++++++++
>> > > include/uapi/linux/sctp.h | 1 +
>> > > net/sctp/sm_make_chunk.c | 12 +++++++++
>> > > net/sctp/sm_statefuns.c | 14 ++++++++++-
>> > > net/sctp/socket.c | 61
>> > > +++++++++++++++++++++++++++++++++++++++++++++-
>> > > 5 files changed, 96 insertions(+), 2 deletions(-)
>> > >
>> > > diff --git a/include/net/sctp/structs.h
>> > > b/include/net/sctp/structs.h
>> > > index 7767577..6e72e3e 100644
>> > > --- a/include/net/sctp/structs.h
>> > > +++ b/include/net/sctp/structs.h
>> > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
>> > > reconf_enable:1;
>> > >
>> > > __u8 strreset_enable;
>> > > +
>> > > + /* Security identifiers from incoming (INIT). These are
>> > > set by
>> > > + * security_sctp_assoc_request(). These will only be used
>> > > by
>> > > + * SCTP TCP type sockets and peeled off connections as
>> > > they
>> > > + * cause a new socket to be generated.
>> > > security_sctp_sk_clone()
>> > > + * will then plug these into the new socket.
>> > > + */
>> > > +
>> > > + u32 secid;
>> > > + u32 peer_secid;
>> > > };
>> > >
>> > > /* Recover the outter endpoint structure. */
>> > > diff --git a/include/uapi/linux/sctp.h
>> > > b/include/uapi/linux/sctp.h
>> > > index 6217ff8..c04812f 100644
>> > > --- a/include/uapi/linux/sctp.h
>> > > +++ b/include/uapi/linux/sctp.h
>> > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
>> > > #define SCTP_RESET_ASSOC 120
>> > > #define SCTP_ADD_STREAMS 121
>> > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
>> > > +#define SCTP_SENDMSG_CONNECT 123
>> > >
>> > > /* PR-SCTP policies */
>> > > #define SCTP_PR_SCTP_NONE 0x0000
>> > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
>> > > index 6110447..ca4705b 100644
>> > > --- a/net/sctp/sm_make_chunk.c
>> > > +++ b/net/sctp/sm_make_chunk.c
>> > > @@ -3059,6 +3059,12 @@ static __be16
>> > > sctp_process_asconf_param(struct sctp_association *asoc,
>> > > if (af->is_any(&addr))
>> > > memcpy(&addr, &asconf->source,
>> > > sizeof(addr));
>> > >
>> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
>> > > + SCTP_PARAM_ADD_IP,
>> > > + (struct sockaddr
>> > > *)&addr,
>> > > + af->sockaddr_len))
>> > > + return SCTP_ERROR_REQ_REFUSED;
>> > > +
>> > > /* ADDIP 4.3 D9) If an endpoint receives an ADD
>> > > IP address
>> > > * request and does not have the local resources
>> > > to add this
>> > > * new address to the association, it MUST return
>> > > an Error
>> > > @@ -3125,6 +3131,12 @@ static __be16
>> > > sctp_process_asconf_param(struct sctp_association *asoc,
>> > > if (af->is_any(&addr))
>> > > memcpy(&addr.v4, sctp_source(asconf),
>> > > sizeof(addr));
>> > >
>> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
>> > > + SCTP_PARAM_SET_PRI
>> > > MARY,
>> > > + (struct sockaddr
>> > > *)&addr,
>> > > + af->sockaddr_len))
>> > > + return SCTP_ERROR_REQ_REFUSED;
>> > > +
>> > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
>> > > if (!peer)
>> > > return SCTP_ERROR_DNS_FAILED;
>> > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
>> > > index b2a74c3..4ba5805 100644
>> > > --- a/net/sctp/sm_statefuns.c
>> > > +++ b/net/sctp/sm_statefuns.c
>> > > @@ -314,6 +314,11 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1B_init(struct net *net,
>> > > sctp_unrecognized_param_t *unk_param;
>> > > int len;
>> > >
>> > > + /* Update socket peer label if first association. */
>> > > + if (security_sctp_assoc_request((struct sctp_endpoint
>> > > *)ep,
>> > > + chunk->skb,
>> > > SCTP_CID_INIT))
>> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
>> > > commands);
>> > > +
>> > > /* 6.10 Bundling
>> > > * An endpoint MUST NOT bundle INIT, INIT ACK or
>> > > * SHUTDOWN COMPLETE with any other chunks.
>> > > @@ -446,7 +451,6 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1B_init(struct net *net,
>> > > }
>> > >
>> > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
>> > > SCTP_ASOC(new_asoc));
>> > > -
>> > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
>> > > SCTP_CHUNK(repl));
>> > >
>> > > /*
>> > > @@ -507,6 +511,11 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1C_ack(struct net *net,
>> > > struct sctp_chunk *err_chunk;
>> > > struct sctp_packet *packet;
>> > >
>> > > + /* Update socket peer label if first association. */
>> > > + if (security_sctp_assoc_request((struct sctp_endpoint
>> > > *)ep,
>> > > + chunk->skb,
>> > > SCTP_CID_INIT_ACK))
>> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
>> > > commands);
>> > > +
>> >
>> > Just thinking security_sctp_assoc_request hook should also be in
>> > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
>>
>> I agree, i think if this hook is gating on the creation of a new
>> association,
>> they should be in all the locations where that happens
>> Neil
>
> Thanks for the comments. I've just added the hook as requested for my
> next update, however I have not managed to trigger these areas using
> the lksctp-tools tests. Can you suggest any suitable tools for testing
> these scenarios.
It's all a matter of timing:
sctp_sf_do_5_2_2_dupinit():
Case A:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
INIT ----------------->
(Different INIT-TAG)
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
DATA ----------------->
<----------------- SACK
sctp_sf_do_5_2_1_siminit():
Case B:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
<----- Associate
<----------------- INIT
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
sctp_sf_do_5_2_4_dupcook():
Case D:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
<----- Associate
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
I think scapy could help with 4-shake stuff:
# iptables -A OUTPUT -p sctp -d 192.0.0.2 --chunk-type only abort -o
eth1 -j DROP
and
something like:
def start_assoc(self, target, local):
target_host, target_port = target
local_host, local_port = local
# init snd
self._tsn = 2017
self._cnt = 15
SCTP_HEADER = (IP(dst=target_host, flags="DF") /
SCTP(sport=local_port, dport=target_port, tag=0))
INIT = (SCTP_HEADER / SCTPChunkInit(init_tag=1,
a_rwnd=106496, n_out_streams=self._cnt, n_in_streams=self._cnt,
init_tsn=self._tsn,
params=[SCTPParamSupport(types=[64])]))
INIT_ACK = sr1(INIT, timeout=3, verbose=0)
if INIT_ACK == None or not INIT_ACK.haslayer(SCTPChunkInitAck):
return False
# cookie echo snd
SCTP_HEADER[SCTP].tag = INIT_ACK[SCTPChunkInitAck].init_tag
COOKIE_ECHO = (SCTP_HEADER /
SCTPChunkCookieEcho(cookie=INIT_ACK[SCTPChunkParamStateCookie].cookie))
COOKIE_ACK = sr1(COOKIE_ECHO, timeout=3, verbose=0)
if COOKIE_ACK == None or not
COOKIE_ACK.haslayer(SCTPChunkCookieAck):
return False
^ permalink raw reply [flat|nested] 18+ messages in thread
* [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-20 13:14 ` Xin Long
0 siblings, 0 replies; 18+ messages in thread
From: Xin Long @ 2017-10-20 13:14 UTC (permalink / raw)
To: linux-security-module
On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
>> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
>> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
>> > <richard_c_haines@btinternet.com> wrote:
>> > > Add security hooks to allow security modules to exercise access
>> > > control
>> > > over SCTP.
>> > >
>> > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
>> > > ---
>> > > include/net/sctp/structs.h | 10 ++++++++
>> > > include/uapi/linux/sctp.h | 1 +
>> > > net/sctp/sm_make_chunk.c | 12 +++++++++
>> > > net/sctp/sm_statefuns.c | 14 ++++++++++-
>> > > net/sctp/socket.c | 61
>> > > +++++++++++++++++++++++++++++++++++++++++++++-
>> > > 5 files changed, 96 insertions(+), 2 deletions(-)
>> > >
>> > > diff --git a/include/net/sctp/structs.h
>> > > b/include/net/sctp/structs.h
>> > > index 7767577..6e72e3e 100644
>> > > --- a/include/net/sctp/structs.h
>> > > +++ b/include/net/sctp/structs.h
>> > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
>> > > reconf_enable:1;
>> > >
>> > > __u8 strreset_enable;
>> > > +
>> > > + /* Security identifiers from incoming (INIT). These are
>> > > set by
>> > > + * security_sctp_assoc_request(). These will only be used
>> > > by
>> > > + * SCTP TCP type sockets and peeled off connections as
>> > > they
>> > > + * cause a new socket to be generated.
>> > > security_sctp_sk_clone()
>> > > + * will then plug these into the new socket.
>> > > + */
>> > > +
>> > > + u32 secid;
>> > > + u32 peer_secid;
>> > > };
>> > >
>> > > /* Recover the outter endpoint structure. */
>> > > diff --git a/include/uapi/linux/sctp.h
>> > > b/include/uapi/linux/sctp.h
>> > > index 6217ff8..c04812f 100644
>> > > --- a/include/uapi/linux/sctp.h
>> > > +++ b/include/uapi/linux/sctp.h
>> > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
>> > > #define SCTP_RESET_ASSOC 120
>> > > #define SCTP_ADD_STREAMS 121
>> > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
>> > > +#define SCTP_SENDMSG_CONNECT 123
>> > >
>> > > /* PR-SCTP policies */
>> > > #define SCTP_PR_SCTP_NONE 0x0000
>> > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
>> > > index 6110447..ca4705b 100644
>> > > --- a/net/sctp/sm_make_chunk.c
>> > > +++ b/net/sctp/sm_make_chunk.c
>> > > @@ -3059,6 +3059,12 @@ static __be16
>> > > sctp_process_asconf_param(struct sctp_association *asoc,
>> > > if (af->is_any(&addr))
>> > > memcpy(&addr, &asconf->source,
>> > > sizeof(addr));
>> > >
>> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
>> > > + SCTP_PARAM_ADD_IP,
>> > > + (struct sockaddr
>> > > *)&addr,
>> > > + af->sockaddr_len))
>> > > + return SCTP_ERROR_REQ_REFUSED;
>> > > +
>> > > /* ADDIP 4.3 D9) If an endpoint receives an ADD
>> > > IP address
>> > > * request and does not have the local resources
>> > > to add this
>> > > * new address to the association, it MUST return
>> > > an Error
>> > > @@ -3125,6 +3131,12 @@ static __be16
>> > > sctp_process_asconf_param(struct sctp_association *asoc,
>> > > if (af->is_any(&addr))
>> > > memcpy(&addr.v4, sctp_source(asconf),
>> > > sizeof(addr));
>> > >
>> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
>> > > + SCTP_PARAM_SET_PRI
>> > > MARY,
>> > > + (struct sockaddr
>> > > *)&addr,
>> > > + af->sockaddr_len))
>> > > + return SCTP_ERROR_REQ_REFUSED;
>> > > +
>> > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
>> > > if (!peer)
>> > > return SCTP_ERROR_DNS_FAILED;
>> > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
>> > > index b2a74c3..4ba5805 100644
>> > > --- a/net/sctp/sm_statefuns.c
>> > > +++ b/net/sctp/sm_statefuns.c
>> > > @@ -314,6 +314,11 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1B_init(struct net *net,
>> > > sctp_unrecognized_param_t *unk_param;
>> > > int len;
>> > >
>> > > + /* Update socket peer label if first association. */
>> > > + if (security_sctp_assoc_request((struct sctp_endpoint
>> > > *)ep,
>> > > + chunk->skb,
>> > > SCTP_CID_INIT))
>> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
>> > > commands);
>> > > +
>> > > /* 6.10 Bundling
>> > > * An endpoint MUST NOT bundle INIT, INIT ACK or
>> > > * SHUTDOWN COMPLETE with any other chunks.
>> > > @@ -446,7 +451,6 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1B_init(struct net *net,
>> > > }
>> > >
>> > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
>> > > SCTP_ASOC(new_asoc));
>> > > -
>> > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
>> > > SCTP_CHUNK(repl));
>> > >
>> > > /*
>> > > @@ -507,6 +511,11 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1C_ack(struct net *net,
>> > > struct sctp_chunk *err_chunk;
>> > > struct sctp_packet *packet;
>> > >
>> > > + /* Update socket peer label if first association. */
>> > > + if (security_sctp_assoc_request((struct sctp_endpoint
>> > > *)ep,
>> > > + chunk->skb,
>> > > SCTP_CID_INIT_ACK))
>> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
>> > > commands);
>> > > +
>> >
>> > Just thinking security_sctp_assoc_request hook should also be in
>> > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
>>
>> I agree, i think if this hook is gating on the creation of a new
>> association,
>> they should be in all the locations where that happens
>> Neil
>
> Thanks for the comments. I've just added the hook as requested for my
> next update, however I have not managed to trigger these areas using
> the lksctp-tools tests. Can you suggest any suitable tools for testing
> these scenarios.
It's all a matter of timing:
sctp_sf_do_5_2_2_dupinit():
Case A:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
INIT ----------------->
(Different INIT-TAG)
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
DATA ----------------->
<----------------- SACK
sctp_sf_do_5_2_1_siminit():
Case B:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
<----- Associate
<----------------- INIT
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
sctp_sf_do_5_2_4_dupcook():
Case D:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
<----- Associate
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
I think scapy could help with 4-shake stuff:
# iptables -A OUTPUT -p sctp -d 192.0.0.2 --chunk-type only abort -o
eth1 -j DROP
and
something like:
def start_assoc(self, target, local):
target_host, target_port = target
local_host, local_port = local
# init snd
self._tsn = 2017
self._cnt = 15
SCTP_HEADER = (IP(dst=target_host, flags="DF") /
SCTP(sport=local_port, dport=target_port, tag=0))
INIT = (SCTP_HEADER / SCTPChunkInit(init_tag=1,
a_rwnd=106496, n_out_streams=self._cnt, n_in_streams=self._cnt,
init_tsn=self._tsn,
params=[SCTPParamSupport(types=[64])]))
INIT_ACK = sr1(INIT, timeout=3, verbose=0)
if INIT_ACK == None or not INIT_ACK.haslayer(SCTPChunkInitAck):
return False
# cookie echo snd
SCTP_HEADER[SCTP].tag = INIT_ACK[SCTPChunkInitAck].init_tag
COOKIE_ECHO = (SCTP_HEADER /
SCTPChunkCookieEcho(cookie=INIT_ACK[SCTPChunkParamStateCookie].cookie))
COOKIE_ACK = sr1(COOKIE_ECHO, timeout=3, verbose=0)
if COOKIE_ACK == None or not
COOKIE_ACK.haslayer(SCTPChunkCookieAck):
return False
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info@ http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-20 13:14 ` Xin Long
0 siblings, 0 replies; 18+ messages in thread
From: Xin Long @ 2017-10-20 13:14 UTC (permalink / raw)
To: linux-security-module
On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
>> On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
>> > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
>> > <richard_c_haines@btinternet.com> wrote:
>> > > Add security hooks to allow security modules to exercise access
>> > > control
>> > > over SCTP.
>> > >
>> > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
>> > > ---
>> > > include/net/sctp/structs.h | 10 ++++++++
>> > > include/uapi/linux/sctp.h | 1 +
>> > > net/sctp/sm_make_chunk.c | 12 +++++++++
>> > > net/sctp/sm_statefuns.c | 14 ++++++++++-
>> > > net/sctp/socket.c | 61
>> > > +++++++++++++++++++++++++++++++++++++++++++++-
>> > > 5 files changed, 96 insertions(+), 2 deletions(-)
>> > >
>> > > diff --git a/include/net/sctp/structs.h
>> > > b/include/net/sctp/structs.h
>> > > index 7767577..6e72e3e 100644
>> > > --- a/include/net/sctp/structs.h
>> > > +++ b/include/net/sctp/structs.h
>> > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
>> > > reconf_enable:1;
>> > >
>> > > __u8 strreset_enable;
>> > > +
>> > > + /* Security identifiers from incoming (INIT). These are
>> > > set by
>> > > + * security_sctp_assoc_request(). These will only be used
>> > > by
>> > > + * SCTP TCP type sockets and peeled off connections as
>> > > they
>> > > + * cause a new socket to be generated.
>> > > security_sctp_sk_clone()
>> > > + * will then plug these into the new socket.
>> > > + */
>> > > +
>> > > + u32 secid;
>> > > + u32 peer_secid;
>> > > };
>> > >
>> > > /* Recover the outter endpoint structure. */
>> > > diff --git a/include/uapi/linux/sctp.h
>> > > b/include/uapi/linux/sctp.h
>> > > index 6217ff8..c04812f 100644
>> > > --- a/include/uapi/linux/sctp.h
>> > > +++ b/include/uapi/linux/sctp.h
>> > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
>> > > #define SCTP_RESET_ASSOC 120
>> > > #define SCTP_ADD_STREAMS 121
>> > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
>> > > +#define SCTP_SENDMSG_CONNECT 123
>> > >
>> > > /* PR-SCTP policies */
>> > > #define SCTP_PR_SCTP_NONE 0x0000
>> > > diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
>> > > index 6110447..ca4705b 100644
>> > > --- a/net/sctp/sm_make_chunk.c
>> > > +++ b/net/sctp/sm_make_chunk.c
>> > > @@ -3059,6 +3059,12 @@ static __be16
>> > > sctp_process_asconf_param(struct sctp_association *asoc,
>> > > if (af->is_any(&addr))
>> > > memcpy(&addr, &asconf->source,
>> > > sizeof(addr));
>> > >
>> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
>> > > + SCTP_PARAM_ADD_IP,
>> > > + (struct sockaddr
>> > > *)&addr,
>> > > + af->sockaddr_len))
>> > > + return SCTP_ERROR_REQ_REFUSED;
>> > > +
>> > > /* ADDIP 4.3 D9) If an endpoint receives an ADD
>> > > IP address
>> > > * request and does not have the local resources
>> > > to add this
>> > > * new address to the association, it MUST return
>> > > an Error
>> > > @@ -3125,6 +3131,12 @@ static __be16
>> > > sctp_process_asconf_param(struct sctp_association *asoc,
>> > > if (af->is_any(&addr))
>> > > memcpy(&addr.v4, sctp_source(asconf),
>> > > sizeof(addr));
>> > >
>> > > + if (security_sctp_bind_connect(asoc->ep->base.sk,
>> > > + SCTP_PARAM_SET_PRI
>> > > MARY,
>> > > + (struct sockaddr
>> > > *)&addr,
>> > > + af->sockaddr_len))
>> > > + return SCTP_ERROR_REQ_REFUSED;
>> > > +
>> > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
>> > > if (!peer)
>> > > return SCTP_ERROR_DNS_FAILED;
>> > > diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
>> > > index b2a74c3..4ba5805 100644
>> > > --- a/net/sctp/sm_statefuns.c
>> > > +++ b/net/sctp/sm_statefuns.c
>> > > @@ -314,6 +314,11 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1B_init(struct net *net,
>> > > sctp_unrecognized_param_t *unk_param;
>> > > int len;
>> > >
>> > > + /* Update socket peer label if first association. */
>> > > + if (security_sctp_assoc_request((struct sctp_endpoint
>> > > *)ep,
>> > > + chunk->skb,
>> > > SCTP_CID_INIT))
>> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
>> > > commands);
>> > > +
>> > > /* 6.10 Bundling
>> > > * An endpoint MUST NOT bundle INIT, INIT ACK or
>> > > * SHUTDOWN COMPLETE with any other chunks.
>> > > @@ -446,7 +451,6 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1B_init(struct net *net,
>> > > }
>> > >
>> > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
>> > > SCTP_ASOC(new_asoc));
>> > > -
>> > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
>> > > SCTP_CHUNK(repl));
>> > >
>> > > /*
>> > > @@ -507,6 +511,11 @@ sctp_disposition_t
>> > > sctp_sf_do_5_1C_ack(struct net *net,
>> > > struct sctp_chunk *err_chunk;
>> > > struct sctp_packet *packet;
>> > >
>> > > + /* Update socket peer label if first association. */
>> > > + if (security_sctp_assoc_request((struct sctp_endpoint
>> > > *)ep,
>> > > + chunk->skb,
>> > > SCTP_CID_INIT_ACK))
>> > > + return sctp_sf_pdiscard(net, ep, asoc, type, arg,
>> > > commands);
>> > > +
>> >
>> > Just thinking security_sctp_assoc_request hook should also be in
>> > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
>>
>> I agree, i think if this hook is gating on the creation of a new
>> association,
>> they should be in all the locations where that happens
>> Neil
>
> Thanks for the comments. I've just added the hook as requested for my
> next update, however I have not managed to trigger these areas using
> the lksctp-tools tests. Can you suggest any suitable tools for testing
> these scenarios.
It's all a matter of timing:
sctp_sf_do_5_2_2_dupinit():
Case A:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
INIT ----------------->
(Different INIT-TAG)
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
DATA ----------------->
<----------------- SACK
sctp_sf_do_5_2_1_siminit():
Case B:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
<----- Associate
<----------------- INIT
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
sctp_sf_do_5_2_4_dupcook():
Case D:
Endpoint A Endpoint B ULP
(CLOSED) (CLOSED)
<----- Associate
INIT ----------------->
<----------------- INIT-ACK
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
Communication Up ---------->
COOKIE-ECHO ----------------->
<----------------- COOKIE-ACK
I think scapy could help with 4-shake stuff:
# iptables -A OUTPUT -p sctp -d 192.0.0.2 --chunk-type only abort -o
eth1 -j DROP
and
something like:
def start_assoc(self, target, local):
target_host, target_port = target
local_host, local_port = local
# init snd
self._tsn = 2017
self._cnt = 15
SCTP_HEADER = (IP(dst=target_host, flags="DF") /
SCTP(sport=local_port, dport=target_port, tag=0))
INIT = (SCTP_HEADER / SCTPChunkInit(init_tag=1,
a_rwnd\x106496, n_out_streams=self._cnt, n_in_streams=self._cnt,
init_tsn=self._tsn,
params=[SCTPParamSupport(types=[64])]))
INIT_ACK = sr1(INIT, timeout=3, verbose=0)
if INIT_ACK = None or not INIT_ACK.haslayer(SCTPChunkInitAck):
return False
# cookie echo snd
SCTP_HEADER[SCTP].tag = INIT_ACK[SCTPChunkInitAck].init_tag
COOKIE_ECHO = (SCTP_HEADER /
SCTPChunkCookieEcho(cookie=INIT_ACK[SCTPChunkParamStateCookie].cookie))
COOKIE_ACK = sr1(COOKIE_ECHO, timeout=3, verbose=0)
if COOKIE_ACK = None or not
COOKIE_ACK.haslayer(SCTPChunkCookieAck):
return False
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
2017-10-20 13:14 ` Xin Long
(?)
@ 2017-10-24 20:27 ` Richard Haines
-1 siblings, 0 replies; 18+ messages in thread
From: Richard Haines @ 2017-10-24 20:27 UTC (permalink / raw)
To: Xin Long
Cc: Neil Horman, selinux, network dev, linux-sctp, linux-security-module
On Fri, 2017-10-20 at 21:14 +0800, Xin Long wrote:
> On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> > > On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > > > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > > > <richard_c_haines@btinternet.com> wrote:
> > > > > Add security hooks to allow security modules to exercise
> > > > > access
> > > > > control
> > > > > over SCTP.
> > > > >
> > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.co
> > > > > m>
> > > > > ---
> > > > > include/net/sctp/structs.h | 10 ++++++++
> > > > > include/uapi/linux/sctp.h | 1 +
> > > > > net/sctp/sm_make_chunk.c | 12 +++++++++
> > > > > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > > > > net/sctp/socket.c | 61
> > > > > +++++++++++++++++++++++++++++++++++++++++++++-
> > > > > 5 files changed, 96 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/include/net/sctp/structs.h
> > > > > b/include/net/sctp/structs.h
> > > > > index 7767577..6e72e3e 100644
> > > > > --- a/include/net/sctp/structs.h
> > > > > +++ b/include/net/sctp/structs.h
> > > > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > > > > reconf_enable:1;
> > > > >
> > > > > __u8 strreset_enable;
> > > > > +
> > > > > + /* Security identifiers from incoming (INIT). These
> > > > > are
> > > > > set by
> > > > > + * security_sctp_assoc_request(). These will only be
> > > > > used
> > > > > by
> > > > > + * SCTP TCP type sockets and peeled off connections
> > > > > as
> > > > > they
> > > > > + * cause a new socket to be generated.
> > > > > security_sctp_sk_clone()
> > > > > + * will then plug these into the new socket.
> > > > > + */
> > > > > +
> > > > > + u32 secid;
> > > > > + u32 peer_secid;
> > > > > };
> > > > >
> > > > > /* Recover the outter endpoint structure. */
> > > > > diff --git a/include/uapi/linux/sctp.h
> > > > > b/include/uapi/linux/sctp.h
> > > > > index 6217ff8..c04812f 100644
> > > > > --- a/include/uapi/linux/sctp.h
> > > > > +++ b/include/uapi/linux/sctp.h
> > > > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > > > > #define SCTP_RESET_ASSOC 120
> > > > > #define SCTP_ADD_STREAMS 121
> > > > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > > > > +#define SCTP_SENDMSG_CONNECT 123
> > > > >
> > > > > /* PR-SCTP policies */
> > > > > #define SCTP_PR_SCTP_NONE 0x0000
> > > > > diff --git a/net/sctp/sm_make_chunk.c
> > > > > b/net/sctp/sm_make_chunk.c
> > > > > index 6110447..ca4705b 100644
> > > > > --- a/net/sctp/sm_make_chunk.c
> > > > > +++ b/net/sctp/sm_make_chunk.c
> > > > > @@ -3059,6 +3059,12 @@ static __be16
> > > > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > > > if (af->is_any(&addr))
> > > > > memcpy(&addr, &asconf->source,
> > > > > sizeof(addr));
> > > > >
> > > > > + if (security_sctp_bind_connect(asoc->ep-
> > > > > >base.sk,
> > > > > + SCTP_PARAM_ADD
> > > > > _IP,
> > > > > + (struct
> > > > > sockaddr
> > > > > *)&addr,
> > > > > + af-
> > > > > >sockaddr_len))
> > > > > + return SCTP_ERROR_REQ_REFUSED;
> > > > > +
> > > > > /* ADDIP 4.3 D9) If an endpoint receives an
> > > > > ADD
> > > > > IP address
> > > > > * request and does not have the local
> > > > > resources
> > > > > to add this
> > > > > * new address to the association, it MUST
> > > > > return
> > > > > an Error
> > > > > @@ -3125,6 +3131,12 @@ static __be16
> > > > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > > > if (af->is_any(&addr))
> > > > > memcpy(&addr.v4, sctp_source(asconf),
> > > > > sizeof(addr));
> > > > >
> > > > > + if (security_sctp_bind_connect(asoc->ep-
> > > > > >base.sk,
> > > > > + SCTP_PARAM_SET
> > > > > _PRI
> > > > > MARY,
> > > > > + (struct
> > > > > sockaddr
> > > > > *)&addr,
> > > > > + af-
> > > > > >sockaddr_len))
> > > > > + return SCTP_ERROR_REQ_REFUSED;
> > > > > +
> > > > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > > > > if (!peer)
> > > > > return SCTP_ERROR_DNS_FAILED;
> > > > > diff --git a/net/sctp/sm_statefuns.c
> > > > > b/net/sctp/sm_statefuns.c
> > > > > index b2a74c3..4ba5805 100644
> > > > > --- a/net/sctp/sm_statefuns.c
> > > > > +++ b/net/sctp/sm_statefuns.c
> > > > > @@ -314,6 +314,11 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1B_init(struct net *net,
> > > > > sctp_unrecognized_param_t *unk_param;
> > > > > int len;
> > > > >
> > > > > + /* Update socket peer label if first association. */
> > > > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > > > *)ep,
> > > > > + chunk->skb,
> > > > > SCTP_CID_INIT))
> > > > > + return sctp_sf_pdiscard(net, ep, asoc, type,
> > > > > arg,
> > > > > commands);
> > > > > +
> > > > > /* 6.10 Bundling
> > > > > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > > > > * SHUTDOWN COMPLETE with any other chunks.
> > > > > @@ -446,7 +451,6 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1B_init(struct net *net,
> > > > > }
> > > > >
> > > > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
> > > > > SCTP_ASOC(new_asoc));
> > > > > -
> > > > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
> > > > > SCTP_CHUNK(repl));
> > > > >
> > > > > /*
> > > > > @@ -507,6 +511,11 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1C_ack(struct net *net,
> > > > > struct sctp_chunk *err_chunk;
> > > > > struct sctp_packet *packet;
> > > > >
> > > > > + /* Update socket peer label if first association. */
> > > > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > > > *)ep,
> > > > > + chunk->skb,
> > > > > SCTP_CID_INIT_ACK))
> > > > > + return sctp_sf_pdiscard(net, ep, asoc, type,
> > > > > arg,
> > > > > commands);
> > > > > +
> > > >
> > > > Just thinking security_sctp_assoc_request hook should also be
> > > > in
> > > > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
> > >
> > > I agree, i think if this hook is gating on the creation of a new
> > > association,
> > > they should be in all the locations where that happens
> > > Neil
> >
> > Thanks for the comments. I've just added the hook as requested for
> > my
> > next update, however I have not managed to trigger these areas
> > using
> > the lksctp-tools tests. Can you suggest any suitable tools for
> > testing
> > these scenarios.
>
> It's all a matter of timing:
>
> sctp_sf_do_5_2_2_dupinit():
> Case A:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
> INIT ----------------->
> (Different INIT-TAG)
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
>
> DATA ----------------->
>
> <----------------- SACK
>
>
> sctp_sf_do_5_2_1_siminit():
> Case B:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> <--
> --- Associate
> <----------------- INIT
>
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
>
>
> sctp_sf_do_5_2_4_dupcook():
> Case D:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> <--
> --- Associate
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
>
> I think scapy could help with 4-shake stuff:
> # iptables -A OUTPUT -p sctp -d 192.0.0.2 --chunk-type only abort -o
> eth1 -j DROP
> and
> something like:
> def start_assoc(self, target, local):
> target_host, target_port = target
> local_host, local_port = local
>
> # init snd
> self._tsn = 2017
> self._cnt = 15
>
> SCTP_HEADER = (IP(dst=target_host, flags="DF") /
> SCTP(sport=local_port, dport=target_port, tag=0))
> INIT = (SCTP_HEADER / SCTPChunkInit(init_tag=1,
> a_rwnd=106496, n_out_streams=self._cnt, n_in_streams=self._cnt,
> init_tsn=self._tsn,
>
> params=[SCTPParamSupport(types=[64])]))
> INIT_ACK = sr1(INIT, timeout=3, verbose=0)
> if INIT_ACK == None or not
> INIT_ACK.haslayer(SCTPChunkInitAck):
> return False
>
> # cookie echo snd
> SCTP_HEADER[SCTP].tag =
> INIT_ACK[SCTPChunkInitAck].init_tag
> COOKIE_ECHO = (SCTP_HEADER /
> SCTPChunkCookieEcho(cookie=INIT_ACK[SCTPChunkParamStateCookie].cookie
> ))
> COOKIE_ACK = sr1(COOKIE_ECHO, timeout=3, verbose=0)
> if COOKIE_ACK == None or not
> COOKIE_ACK.haslayer(SCTPChunkCookieAck):
> return False
That looks a bit complicated for me so I found some SCTP Conformance
Test Tools at: https://github.com/nplab
I added the required hooks as suggested above and then built and ran
"ETSI-SCTP-Conformance-Testsuite" and "sctp-tests" with the following
specific tests for the above scenarios according to RFC2960 sections
5.2.2 and 5.2.4:
sctp-dm-o-4-8
sctp-as-o-1-9-1
sctp-as-o-1-9-2
sctp-dm-o-4-2-1
They all passed except when running:
"sctp-tests" runsctptest sctp-as-o-1-9-2 - TIMEOUT
This is because the SUT needs to reply with a new IP address that
required a modified test server (I just used a simple sctp server),
however the ETSI-SCTP-Conformance-Testsuite did pass as I guess that
provided the required IP address.
Are these tests okay ??
Does anyone on the list use these conformance tools ???
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-24 20:27 ` Richard Haines
0 siblings, 0 replies; 18+ messages in thread
From: Richard Haines @ 2017-10-24 20:27 UTC (permalink / raw)
To: linux-security-module
On Fri, 2017-10-20 at 21:14 +0800, Xin Long wrote:
> On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> > > On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > > > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > > > <richard_c_haines@btinternet.com> wrote:
> > > > > Add security hooks to allow security modules to exercise
> > > > > access
> > > > > control
> > > > > over SCTP.
> > > > >
> > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.co
> > > > > m>
> > > > > ---
> > > > > include/net/sctp/structs.h | 10 ++++++++
> > > > > include/uapi/linux/sctp.h | 1 +
> > > > > net/sctp/sm_make_chunk.c | 12 +++++++++
> > > > > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > > > > net/sctp/socket.c | 61
> > > > > +++++++++++++++++++++++++++++++++++++++++++++-
> > > > > 5 files changed, 96 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/include/net/sctp/structs.h
> > > > > b/include/net/sctp/structs.h
> > > > > index 7767577..6e72e3e 100644
> > > > > --- a/include/net/sctp/structs.h
> > > > > +++ b/include/net/sctp/structs.h
> > > > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > > > > reconf_enable:1;
> > > > >
> > > > > __u8 strreset_enable;
> > > > > +
> > > > > + /* Security identifiers from incoming (INIT). These
> > > > > are
> > > > > set by
> > > > > + * security_sctp_assoc_request(). These will only be
> > > > > used
> > > > > by
> > > > > + * SCTP TCP type sockets and peeled off connections
> > > > > as
> > > > > they
> > > > > + * cause a new socket to be generated.
> > > > > security_sctp_sk_clone()
> > > > > + * will then plug these into the new socket.
> > > > > + */
> > > > > +
> > > > > + u32 secid;
> > > > > + u32 peer_secid;
> > > > > };
> > > > >
> > > > > /* Recover the outter endpoint structure. */
> > > > > diff --git a/include/uapi/linux/sctp.h
> > > > > b/include/uapi/linux/sctp.h
> > > > > index 6217ff8..c04812f 100644
> > > > > --- a/include/uapi/linux/sctp.h
> > > > > +++ b/include/uapi/linux/sctp.h
> > > > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > > > > #define SCTP_RESET_ASSOC 120
> > > > > #define SCTP_ADD_STREAMS 121
> > > > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > > > > +#define SCTP_SENDMSG_CONNECT 123
> > > > >
> > > > > /* PR-SCTP policies */
> > > > > #define SCTP_PR_SCTP_NONE 0x0000
> > > > > diff --git a/net/sctp/sm_make_chunk.c
> > > > > b/net/sctp/sm_make_chunk.c
> > > > > index 6110447..ca4705b 100644
> > > > > --- a/net/sctp/sm_make_chunk.c
> > > > > +++ b/net/sctp/sm_make_chunk.c
> > > > > @@ -3059,6 +3059,12 @@ static __be16
> > > > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > > > if (af->is_any(&addr))
> > > > > memcpy(&addr, &asconf->source,
> > > > > sizeof(addr));
> > > > >
> > > > > + if (security_sctp_bind_connect(asoc->ep-
> > > > > >base.sk,
> > > > > + SCTP_PARAM_ADD
> > > > > _IP,
> > > > > + (struct
> > > > > sockaddr
> > > > > *)&addr,
> > > > > + af-
> > > > > >sockaddr_len))
> > > > > + return SCTP_ERROR_REQ_REFUSED;
> > > > > +
> > > > > /* ADDIP 4.3 D9) If an endpoint receives an
> > > > > ADD
> > > > > IP address
> > > > > * request and does not have the local
> > > > > resources
> > > > > to add this
> > > > > * new address to the association, it MUST
> > > > > return
> > > > > an Error
> > > > > @@ -3125,6 +3131,12 @@ static __be16
> > > > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > > > if (af->is_any(&addr))
> > > > > memcpy(&addr.v4, sctp_source(asconf),
> > > > > sizeof(addr));
> > > > >
> > > > > + if (security_sctp_bind_connect(asoc->ep-
> > > > > >base.sk,
> > > > > + SCTP_PARAM_SET
> > > > > _PRI
> > > > > MARY,
> > > > > + (struct
> > > > > sockaddr
> > > > > *)&addr,
> > > > > + af-
> > > > > >sockaddr_len))
> > > > > + return SCTP_ERROR_REQ_REFUSED;
> > > > > +
> > > > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > > > > if (!peer)
> > > > > return SCTP_ERROR_DNS_FAILED;
> > > > > diff --git a/net/sctp/sm_statefuns.c
> > > > > b/net/sctp/sm_statefuns.c
> > > > > index b2a74c3..4ba5805 100644
> > > > > --- a/net/sctp/sm_statefuns.c
> > > > > +++ b/net/sctp/sm_statefuns.c
> > > > > @@ -314,6 +314,11 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1B_init(struct net *net,
> > > > > sctp_unrecognized_param_t *unk_param;
> > > > > int len;
> > > > >
> > > > > + /* Update socket peer label if first association. */
> > > > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > > > *)ep,
> > > > > + chunk->skb,
> > > > > SCTP_CID_INIT))
> > > > > + return sctp_sf_pdiscard(net, ep, asoc, type,
> > > > > arg,
> > > > > commands);
> > > > > +
> > > > > /* 6.10 Bundling
> > > > > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > > > > * SHUTDOWN COMPLETE with any other chunks.
> > > > > @@ -446,7 +451,6 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1B_init(struct net *net,
> > > > > }
> > > > >
> > > > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
> > > > > SCTP_ASOC(new_asoc));
> > > > > -
> > > > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
> > > > > SCTP_CHUNK(repl));
> > > > >
> > > > > /*
> > > > > @@ -507,6 +511,11 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1C_ack(struct net *net,
> > > > > struct sctp_chunk *err_chunk;
> > > > > struct sctp_packet *packet;
> > > > >
> > > > > + /* Update socket peer label if first association. */
> > > > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > > > *)ep,
> > > > > + chunk->skb,
> > > > > SCTP_CID_INIT_ACK))
> > > > > + return sctp_sf_pdiscard(net, ep, asoc, type,
> > > > > arg,
> > > > > commands);
> > > > > +
> > > >
> > > > Just thinking security_sctp_assoc_request hook should also be
> > > > in
> > > > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
> > >
> > > I agree, i think if this hook is gating on the creation of a new
> > > association,
> > > they should be in all the locations where that happens
> > > Neil
> >
> > Thanks for the comments. I've just added the hook as requested for
> > my
> > next update, however I have not managed to trigger these areas
> > using
> > the lksctp-tools tests. Can you suggest any suitable tools for
> > testing
> > these scenarios.
>
> It's all a matter of timing:
>
> sctp_sf_do_5_2_2_dupinit():
> Case A:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
> INIT ----------------->
> (Different INIT-TAG)
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
>
> DATA ----------------->
>
> <----------------- SACK
>
>
> sctp_sf_do_5_2_1_siminit():
> Case B:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> <--
> --- Associate
> <----------------- INIT
>
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
>
>
> sctp_sf_do_5_2_4_dupcook():
> Case D:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> <--
> --- Associate
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
>
> I think scapy could help with 4-shake stuff:
> # iptables -A OUTPUT -p sctp -d 192.0.0.2 --chunk-type only abort -o
> eth1 -j DROP
> and
> something like:
> def start_assoc(self, target, local):
> target_host, target_port = target
> local_host, local_port = local
>
> # init snd
> self._tsn = 2017
> self._cnt = 15
>
> SCTP_HEADER = (IP(dst=target_host, flags="DF") /
> SCTP(sport=local_port, dport=target_port, tag=0))
> INIT = (SCTP_HEADER / SCTPChunkInit(init_tag=1,
> a_rwnd=106496, n_out_streams=self._cnt, n_in_streams=self._cnt,
> init_tsn=self._tsn,
>
> params=[SCTPParamSupport(types=[64])]))
> INIT_ACK = sr1(INIT, timeout=3, verbose=0)
> if INIT_ACK == None or not
> INIT_ACK.haslayer(SCTPChunkInitAck):
> return False
>
> # cookie echo snd
> SCTP_HEADER[SCTP].tag =
> INIT_ACK[SCTPChunkInitAck].init_tag
> COOKIE_ECHO = (SCTP_HEADER /
> SCTPChunkCookieEcho(cookie=INIT_ACK[SCTPChunkParamStateCookie].cookie
> ))
> COOKIE_ACK = sr1(COOKIE_ECHO, timeout=3, verbose=0)
> if COOKIE_ACK == None or not
> COOKIE_ACK.haslayer(SCTPChunkCookieAck):
> return False
That looks a bit complicated for me so I found some SCTP Conformance
Test Tools at: https://github.com/nplab
I added the required hooks as suggested above and then built and ran
"ETSI-SCTP-Conformance-Testsuite" and "sctp-tests" with the following
specific tests for the above scenarios according to RFC2960 sections
5.2.2 and 5.2.4:
sctp-dm-o-4-8
sctp-as-o-1-9-1
sctp-as-o-1-9-2
sctp-dm-o-4-2-1
They all passed except when running:
"sctp-tests" runsctptest sctp-as-o-1-9-2 - TIMEOUT
This is because the SUT needs to reply with a new IP address that
required a modified test server (I just used a simple sctp server),
however the ETSI-SCTP-Conformance-Testsuite did pass as I guess that
provided the required IP address.
Are these tests okay ??
Does anyone on the list use these conformance tools ???
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo at vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe linux-security-module" in
the body of a message to majordomo at vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [RFC PATCH 3/5] sctp: Add LSM hooks
@ 2017-10-24 20:27 ` Richard Haines
0 siblings, 0 replies; 18+ messages in thread
From: Richard Haines @ 2017-10-24 20:27 UTC (permalink / raw)
To: linux-security-module
On Fri, 2017-10-20 at 21:14 +0800, Xin Long wrote:
> On Fri, Oct 20, 2017 at 8:04 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > On Fri, 2017-10-20 at 07:16 -0400, Neil Horman wrote:
> > > On Wed, Oct 18, 2017 at 11:05:09PM +0800, Xin Long wrote:
> > > > On Tue, Oct 17, 2017 at 9:58 PM, Richard Haines
> > > > <richard_c_haines@btinternet.com> wrote:
> > > > > Add security hooks to allow security modules to exercise
> > > > > access
> > > > > control
> > > > > over SCTP.
> > > > >
> > > > > Signed-off-by: Richard Haines <richard_c_haines@btinternet.co
> > > > > m>
> > > > > ---
> > > > > include/net/sctp/structs.h | 10 ++++++++
> > > > > include/uapi/linux/sctp.h | 1 +
> > > > > net/sctp/sm_make_chunk.c | 12 +++++++++
> > > > > net/sctp/sm_statefuns.c | 14 ++++++++++-
> > > > > net/sctp/socket.c | 61
> > > > > +++++++++++++++++++++++++++++++++++++++++++++-
> > > > > 5 files changed, 96 insertions(+), 2 deletions(-)
> > > > >
> > > > > diff --git a/include/net/sctp/structs.h
> > > > > b/include/net/sctp/structs.h
> > > > > index 7767577..6e72e3e 100644
> > > > > --- a/include/net/sctp/structs.h
> > > > > +++ b/include/net/sctp/structs.h
> > > > > @@ -1270,6 +1270,16 @@ struct sctp_endpoint {
> > > > > reconf_enable:1;
> > > > >
> > > > > __u8 strreset_enable;
> > > > > +
> > > > > + /* Security identifiers from incoming (INIT). These
> > > > > are
> > > > > set by
> > > > > + * security_sctp_assoc_request(). These will only be
> > > > > used
> > > > > by
> > > > > + * SCTP TCP type sockets and peeled off connections
> > > > > as
> > > > > they
> > > > > + * cause a new socket to be generated.
> > > > > security_sctp_sk_clone()
> > > > > + * will then plug these into the new socket.
> > > > > + */
> > > > > +
> > > > > + u32 secid;
> > > > > + u32 peer_secid;
> > > > > };
> > > > >
> > > > > /* Recover the outter endpoint structure. */
> > > > > diff --git a/include/uapi/linux/sctp.h
> > > > > b/include/uapi/linux/sctp.h
> > > > > index 6217ff8..c04812f 100644
> > > > > --- a/include/uapi/linux/sctp.h
> > > > > +++ b/include/uapi/linux/sctp.h
> > > > > @@ -122,6 +122,7 @@ typedef __s32 sctp_assoc_t;
> > > > > #define SCTP_RESET_ASSOC 120
> > > > > #define SCTP_ADD_STREAMS 121
> > > > > #define SCTP_SOCKOPT_PEELOFF_FLAGS 122
> > > > > +#define SCTP_SENDMSG_CONNECT 123
> > > > >
> > > > > /* PR-SCTP policies */
> > > > > #define SCTP_PR_SCTP_NONE 0x0000
> > > > > diff --git a/net/sctp/sm_make_chunk.c
> > > > > b/net/sctp/sm_make_chunk.c
> > > > > index 6110447..ca4705b 100644
> > > > > --- a/net/sctp/sm_make_chunk.c
> > > > > +++ b/net/sctp/sm_make_chunk.c
> > > > > @@ -3059,6 +3059,12 @@ static __be16
> > > > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > > > if (af->is_any(&addr))
> > > > > memcpy(&addr, &asconf->source,
> > > > > sizeof(addr));
> > > > >
> > > > > + if (security_sctp_bind_connect(asoc->ep-
> > > > > >base.sk,
> > > > > + SCTP_PARAM_ADD
> > > > > _IP,
> > > > > + (struct
> > > > > sockaddr
> > > > > *)&addr,
> > > > > + af-
> > > > > >sockaddr_len))
> > > > > + return SCTP_ERROR_REQ_REFUSED;
> > > > > +
> > > > > /* ADDIP 4.3 D9) If an endpoint receives an
> > > > > ADD
> > > > > IP address
> > > > > * request and does not have the local
> > > > > resources
> > > > > to add this
> > > > > * new address to the association, it MUST
> > > > > return
> > > > > an Error
> > > > > @@ -3125,6 +3131,12 @@ static __be16
> > > > > sctp_process_asconf_param(struct sctp_association *asoc,
> > > > > if (af->is_any(&addr))
> > > > > memcpy(&addr.v4, sctp_source(asconf),
> > > > > sizeof(addr));
> > > > >
> > > > > + if (security_sctp_bind_connect(asoc->ep-
> > > > > >base.sk,
> > > > > + SCTP_PARAM_SET
> > > > > _PRI
> > > > > MARY,
> > > > > + (struct
> > > > > sockaddr
> > > > > *)&addr,
> > > > > + af-
> > > > > >sockaddr_len))
> > > > > + return SCTP_ERROR_REQ_REFUSED;
> > > > > +
> > > > > peer = sctp_assoc_lookup_paddr(asoc, &addr);
> > > > > if (!peer)
> > > > > return SCTP_ERROR_DNS_FAILED;
> > > > > diff --git a/net/sctp/sm_statefuns.c
> > > > > b/net/sctp/sm_statefuns.c
> > > > > index b2a74c3..4ba5805 100644
> > > > > --- a/net/sctp/sm_statefuns.c
> > > > > +++ b/net/sctp/sm_statefuns.c
> > > > > @@ -314,6 +314,11 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1B_init(struct net *net,
> > > > > sctp_unrecognized_param_t *unk_param;
> > > > > int len;
> > > > >
> > > > > + /* Update socket peer label if first association. */
> > > > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > > > *)ep,
> > > > > + chunk->skb,
> > > > > SCTP_CID_INIT))
> > > > > + return sctp_sf_pdiscard(net, ep, asoc, type,
> > > > > arg,
> > > > > commands);
> > > > > +
> > > > > /* 6.10 Bundling
> > > > > * An endpoint MUST NOT bundle INIT, INIT ACK or
> > > > > * SHUTDOWN COMPLETE with any other chunks.
> > > > > @@ -446,7 +451,6 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1B_init(struct net *net,
> > > > > }
> > > > >
> > > > > sctp_add_cmd_sf(commands, SCTP_CMD_NEW_ASOC,
> > > > > SCTP_ASOC(new_asoc));
> > > > > -
> > > > > sctp_add_cmd_sf(commands, SCTP_CMD_REPLY,
> > > > > SCTP_CHUNK(repl));
> > > > >
> > > > > /*
> > > > > @@ -507,6 +511,11 @@ sctp_disposition_t
> > > > > sctp_sf_do_5_1C_ack(struct net *net,
> > > > > struct sctp_chunk *err_chunk;
> > > > > struct sctp_packet *packet;
> > > > >
> > > > > + /* Update socket peer label if first association. */
> > > > > + if (security_sctp_assoc_request((struct sctp_endpoint
> > > > > *)ep,
> > > > > + chunk->skb,
> > > > > SCTP_CID_INIT_ACK))
> > > > > + return sctp_sf_pdiscard(net, ep, asoc, type,
> > > > > arg,
> > > > > commands);
> > > > > +
> > > >
> > > > Just thinking security_sctp_assoc_request hook should also be
> > > > in
> > > > sctp_sf_do_unexpected_init() and sctp_sf_do_5_2_4_dupcook() ?
> > >
> > > I agree, i think if this hook is gating on the creation of a new
> > > association,
> > > they should be in all the locations where that happens
> > > Neil
> >
> > Thanks for the comments. I've just added the hook as requested for
> > my
> > next update, however I have not managed to trigger these areas
> > using
> > the lksctp-tools tests. Can you suggest any suitable tools for
> > testing
> > these scenarios.
>
> It's all a matter of timing:
>
> sctp_sf_do_5_2_2_dupinit():
> Case A:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
> INIT ----------------->
> (Different INIT-TAG)
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
>
> DATA ----------------->
>
> <----------------- SACK
>
>
> sctp_sf_do_5_2_1_siminit():
> Case B:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> <--
> --- Associate
> <----------------- INIT
>
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
>
>
> sctp_sf_do_5_2_4_dupcook():
> Case D:
>
> Endpoint A Endpoint B ULP
> (CLOSED) (CLOSED)
>
> <--
> --- Associate
> INIT ----------------->
>
> <----------------- INIT-ACK
>
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
> Communication Up ---------->
> COOKIE-ECHO ----------------->
>
> <----------------- COOKIE-ACK
>
> I think scapy could help with 4-shake stuff:
> # iptables -A OUTPUT -p sctp -d 192.0.0.2 --chunk-type only abort -o
> eth1 -j DROP
> and
> something like:
> def start_assoc(self, target, local):
> target_host, target_port = target
> local_host, local_port = local
>
> # init snd
> self._tsn = 2017
> self._cnt = 15
>
> SCTP_HEADER = (IP(dst=target_host, flags="DF") /
> SCTP(sport=local_port, dport=target_port, tag=0))
> INIT = (SCTP_HEADER / SCTPChunkInit(init_tag=1,
> a_rwnd\x106496, n_out_streams=self._cnt, n_in_streams=self._cnt,
> init_tsn=self._tsn,
>
> params=[SCTPParamSupport(types=[64])]))
> INIT_ACK = sr1(INIT, timeout=3, verbose=0)
> if INIT_ACK = None or not
> INIT_ACK.haslayer(SCTPChunkInitAck):
> return False
>
> # cookie echo snd
> SCTP_HEADER[SCTP].tag > INIT_ACK[SCTPChunkInitAck].init_tag
> COOKIE_ECHO = (SCTP_HEADER /
> SCTPChunkCookieEcho(cookie=INIT_ACK[SCTPChunkParamStateCookie].cookie
> ))
> COOKIE_ACK = sr1(COOKIE_ECHO, timeout=3, verbose=0)
> if COOKIE_ACK = None or not
> COOKIE_ACK.haslayer(SCTPChunkCookieAck):
> return False
That looks a bit complicated for me so I found some SCTP Conformance
Test Tools at: https://github.com/nplab
I added the required hooks as suggested above and then built and ran
"ETSI-SCTP-Conformance-Testsuite" and "sctp-tests" with the following
specific tests for the above scenarios according to RFC2960 sections
5.2.2 and 5.2.4:
sctp-dm-o-4-8
sctp-as-o-1-9-1
sctp-as-o-1-9-2
sctp-dm-o-4-2-1
They all passed except when running:
"sctp-tests" runsctptest sctp-as-o-1-9-2 - TIMEOUT
This is because the SUT needs to reply with a new IP address that
required a modified test server (I just used a simple sctp server),
however the ETSI-SCTP-Conformance-Testsuite did pass as I guess that
provided the required IP address.
Are these tests okay ??
Does anyone on the list use these conformance tools ???
> --
> To unsubscribe from this list: send the line "unsubscribe linux-
> security-module" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 18+ messages in thread