[PATCH V4 0/4] Add SELinux SCTP protocol support

[PATCH V4 0/4] Add SELinux SCTP protocol support

[Richard Haines]

Note: Some conflicts are expected when merging with current net-next due to
Interleaving Data (I-DATA) sets of patches:
PATCH 2/4 - Where 'sctp_datachk_len(&asoc->stream)' has replaced
'sizeof(struct sctp_data_chunk)' in include/net/sctp/sctp.h, 
net/sctp/chunk.c and net/sctp/socket.c 
PATCH 3/4 - Where include/uapi/linux/sctp.h requires a fix to update the
#define SCTP_SENDMSG_CONNECT to a higher number.

These patches have been built on Fedora 27 with kernel 4.14.8 plus
the following userspace patches to enable testing:

1) Updates to libsepol 2.7 to support the sctp portcon statement.
   The patch is available from:
         http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
         selinux-Add-support-for-the-SCTP-portcon-keyword.patch

2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
   selinux-testsuite/README.sctp for details. The patch is available from:
         http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
         selinux-testsuite-Add-SCTP-test-support.patch

3) Updates to lksctp-tools that show SELinux info in sctp_darn and
   sctp_test. It also contains a minor patch for test_1_to_1_connect.c
   as when CIPSO/CALIPSO configured, NetLabel returns a different error
   code for illegal addresses in test 5. The patch is available from:
         http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
         lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch

All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.

All SCTP regression tests "./sctp-tests run" run correctly in enforcing
mode. These tests are obtained from: https://github.com/sctp/sctp-tests

The selinux-testsuite patch also adds remote tests (that need some manual
configuration). These are useful for testing CIPSO/CALIPSO over a network
with a number of categories to produce large ip option fields with various
message sizes forcing fragmentation etc..

Changes since RFC Patch:
Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
as re-engineered. However this patchset will require the NetLabel
patch at [1] to fully run the SCTP selinux-testsuite.

V1 Changes:
PATCH 1/4
Remove unused parameter from security_sctp_assoc_request().
Reformat and update LSM-sctp.rst documentation.
PATCH 2/4
Add variables and RCU locks as requested in [2] to support IP options.
PATCH 3/4
Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
and sctp_sf_do_5_2_4_dupcook().
Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
no longer required.
PATCH 4/4
Reformat and update SELinux-sctp.rst documentation.
Remove bindx and connectx permissions.
Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
utilise helpers for code reuse.
Add spinlock to selinux_sctp_assoc_request().
Remove unused parameter from security_sctp_assoc_request().
Use address->sa_family == AF_INET in *_bind and *_connect to ensure
correct address type.
Minor cleanups.

V2 Changes:
PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]

V3 Changes:
PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
Marcelo

V4 Changes:
PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
selinux_netlbl_socket_connect_locked() and move description comments to
selinux_sctp_bind_connect()

[1] https://marc.info/?l=selinux&m=151061619115945&w=2
[2] https://marc.info/?l=selinux&m=150962470215797&w=2
[3] https://marc.info/?l=selinux&m=151198281817779&w=2


Richard Haines (4):
  security: Add support for SCTP security hooks
  sctp: Add ip option support
  sctp: Add LSM hooks
  selinux: Add SCTP support

 Documentation/security/LSM-sctp.rst     | 175 ++++++++++++++++++++
 Documentation/security/SELinux-sctp.rst | 157 ++++++++++++++++++
 include/linux/lsm_hooks.h               |  36 ++++
 include/linux/security.h                |  25 +++
 include/net/sctp/sctp.h                 |   4 +-
 include/net/sctp/structs.h              |  12 ++
 include/uapi/linux/sctp.h               |   1 +
 net/sctp/chunk.c                        |  13 +-
 net/sctp/ipv6.c                         |  42 ++++-
 net/sctp/output.c                       |   5 +-
 net/sctp/protocol.c                     |  36 ++++
 net/sctp/sm_make_chunk.c                |  12 ++
 net/sctp/sm_statefuns.c                 |  18 ++
 net/sctp/socket.c                       |  70 +++++++-
 security/security.c                     |  22 +++
 security/selinux/hooks.c                | 280 +++++++++++++++++++++++++++++---
 security/selinux/include/classmap.h     |   2 +-
 security/selinux/include/netlabel.h     |  21 ++-
 security/selinux/include/objsec.h       |   4 +
 security/selinux/netlabel.c             | 138 ++++++++++++++--
 20 files changed, 1024 insertions(+), 49 deletions(-)
 create mode 100644 Documentation/security/LSM-sctp.rst
 create mode 100644 Documentation/security/SELinux-sctp.rst

-- 
2.14.3

Re: [PATCH V4 0/4] Add SELinux SCTP protocol support

[Paul Moore]

On Sat, Dec 30, 2017 at 12:18 PM, Richard Haines
<richard_c_haines@btinternet.com> wrote:
> Note: Some conflicts are expected when merging with current net-next due to
> Interleaving Data (I-DATA) sets of patches:
> PATCH 2/4 - Where 'sctp_datachk_len(&asoc->stream)' has replaced
> 'sizeof(struct sctp_data_chunk)' in include/net/sctp/sctp.h,
> net/sctp/chunk.c and net/sctp/socket.c
> PATCH 3/4 - Where include/uapi/linux/sctp.h requires a fix to update the
> #define SCTP_SENDMSG_CONNECT to a higher number.
>
> These patches have been built on Fedora 27 with kernel 4.14.8 plus
> the following userspace patches to enable testing:
>
> 1) Updates to libsepol 2.7 to support the sctp portcon statement.
>    The patch is available from:
>          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>          selinux-Add-support-for-the-SCTP-portcon-keyword.patch
>
> 2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
>    selinux-testsuite/README.sctp for details. The patch is available from:
>          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>          selinux-testsuite-Add-SCTP-test-support.patch
>
> 3) Updates to lksctp-tools that show SELinux info in sctp_darn and
>    sctp_test. It also contains a minor patch for test_1_to_1_connect.c
>    as when CIPSO/CALIPSO configured, NetLabel returns a different error
>    code for illegal addresses in test 5. The patch is available from:
>          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>          lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
>
> All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
>
> All SCTP regression tests "./sctp-tests run" run correctly in enforcing
> mode. These tests are obtained from: https://github.com/sctp/sctp-tests
>
> The selinux-testsuite patch also adds remote tests (that need some manual
> configuration). These are useful for testing CIPSO/CALIPSO over a network
> with a number of categories to produce large ip option fields with various
> message sizes forcing fragmentation etc..
>
> Changes since RFC Patch:
> Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
> as re-engineered. However this patchset will require the NetLabel
> patch at [1] to fully run the SCTP selinux-testsuite.
>
> V1 Changes:
> PATCH 1/4
> Remove unused parameter from security_sctp_assoc_request().
> Reformat and update LSM-sctp.rst documentation.
> PATCH 2/4
> Add variables and RCU locks as requested in [2] to support IP options.
> PATCH 3/4
> Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
> and sctp_sf_do_5_2_4_dupcook().
> Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
> no longer required.
> PATCH 4/4
> Reformat and update SELinux-sctp.rst documentation.
> Remove bindx and connectx permissions.
> Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
> utilise helpers for code reuse.
> Add spinlock to selinux_sctp_assoc_request().
> Remove unused parameter from security_sctp_assoc_request().
> Use address->sa_family == AF_INET in *_bind and *_connect to ensure
> correct address type.
> Minor cleanups.
>
> V2 Changes:
> PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
> PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]
>
> V3 Changes:
> PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
> Marcelo
>
> V4 Changes:
> PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
> lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
> PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
> selinux_netlbl_socket_connect_locked() and move description comments to
> selinux_sctp_bind_connect()
>
> [1] https://marc.info/?l=selinux&m=151061619115945&w=2
> [2] https://marc.info/?l=selinux&m=150962470215797&w=2
> [3] https://marc.info/?l=selinux&m=151198281817779&w=2

SCTP folks, any objections?  I'm planning on merging these into
selinux-next after the next merge window so if you want to see any
changes, please speak up ...

-- 
paul moore
www.paul-moore.com

Re: [PATCH V4 0/4] Add SELinux SCTP protocol support

[Marcelo Ricardo Leitner]

On Wed, Jan 10, 2018 at 11:39:45AM -0500, Paul Moore wrote:
> On Sat, Dec 30, 2017 at 12:18 PM, Richard Haines
> <richard_c_haines@btinternet.com> wrote:
> > Note: Some conflicts are expected when merging with current net-next due to
> > Interleaving Data (I-DATA) sets of patches:
> > PATCH 2/4 - Where 'sctp_datachk_len(&asoc->stream)' has replaced
> > 'sizeof(struct sctp_data_chunk)' in include/net/sctp/sctp.h,
> > net/sctp/chunk.c and net/sctp/socket.c
> > PATCH 3/4 - Where include/uapi/linux/sctp.h requires a fix to update the
> > #define SCTP_SENDMSG_CONNECT to a higher number.
> >
> > These patches have been built on Fedora 27 with kernel 4.14.8 plus
> > the following userspace patches to enable testing:
> >
> > 1) Updates to libsepol 2.7 to support the sctp portcon statement.
> >    The patch is available from:
> >          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >          selinux-Add-support-for-the-SCTP-portcon-keyword.patch
> >
> > 2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
> >    selinux-testsuite/README.sctp for details. The patch is available from:
> >          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >          selinux-testsuite-Add-SCTP-test-support.patch
> >
> > 3) Updates to lksctp-tools that show SELinux info in sctp_darn and
> >    sctp_test. It also contains a minor patch for test_1_to_1_connect.c
> >    as when CIPSO/CALIPSO configured, NetLabel returns a different error
> >    code for illegal addresses in test 5. The patch is available from:
> >          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
> >          lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
> >
> > All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
> >
> > All SCTP regression tests "./sctp-tests run" run correctly in enforcing
> > mode. These tests are obtained from: https://github.com/sctp/sctp-tests
> >
> > The selinux-testsuite patch also adds remote tests (that need some manual
> > configuration). These are useful for testing CIPSO/CALIPSO over a network
> > with a number of categories to produce large ip option fields with various
> > message sizes forcing fragmentation etc..
> >
> > Changes since RFC Patch:
> > Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
> > as re-engineered. However this patchset will require the NetLabel
> > patch at [1] to fully run the SCTP selinux-testsuite.
> >
> > V1 Changes:
> > PATCH 1/4
> > Remove unused parameter from security_sctp_assoc_request().
> > Reformat and update LSM-sctp.rst documentation.
> > PATCH 2/4
> > Add variables and RCU locks as requested in [2] to support IP options.
> > PATCH 3/4
> > Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
> > and sctp_sf_do_5_2_4_dupcook().
> > Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
> > no longer required.
> > PATCH 4/4
> > Reformat and update SELinux-sctp.rst documentation.
> > Remove bindx and connectx permissions.
> > Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
> > utilise helpers for code reuse.
> > Add spinlock to selinux_sctp_assoc_request().
> > Remove unused parameter from security_sctp_assoc_request().
> > Use address->sa_family == AF_INET in *_bind and *_connect to ensure
> > correct address type.
> > Minor cleanups.
> >
> > V2 Changes:
> > PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
> > PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]
> >
> > V3 Changes:
> > PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
> > Marcelo
> >
> > V4 Changes:
> > PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
> > lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
> > PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
> > selinux_netlbl_socket_connect_locked() and move description comments to
> > selinux_sctp_bind_connect()
> >
> > [1] https://marc.info/?l=selinux&m=151061619115945&w=2
> > [2] https://marc.info/?l=selinux&m=150962470215797&w=2
> > [3] https://marc.info/?l=selinux&m=151198281817779&w=2
> 
> SCTP folks, any objections?  I'm planning on merging these into
> selinux-next after the next merge window so if you want to see any
> changes, please speak up ...

No objections from my side.

Thanks,
Marcelo

Re: [PATCH V4 0/4] Add SELinux SCTP protocol support

[Paul Moore]

On Wed, Jan 10, 2018 at 1:51 PM, Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
> On Wed, Jan 10, 2018 at 11:39:45AM -0500, Paul Moore wrote:
>> On Sat, Dec 30, 2017 at 12:18 PM, Richard Haines
>> <richard_c_haines@btinternet.com> wrote:
>> > Note: Some conflicts are expected when merging with current net-next due to
>> > Interleaving Data (I-DATA) sets of patches:
>> > PATCH 2/4 - Where 'sctp_datachk_len(&asoc->stream)' has replaced
>> > 'sizeof(struct sctp_data_chunk)' in include/net/sctp/sctp.h,
>> > net/sctp/chunk.c and net/sctp/socket.c
>> > PATCH 3/4 - Where include/uapi/linux/sctp.h requires a fix to update the
>> > #define SCTP_SENDMSG_CONNECT to a higher number.
>> >
>> > These patches have been built on Fedora 27 with kernel 4.14.8 plus
>> > the following userspace patches to enable testing:
>> >
>> > 1) Updates to libsepol 2.7 to support the sctp portcon statement.
>> >    The patch is available from:
>> >          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>> >          selinux-Add-support-for-the-SCTP-portcon-keyword.patch
>> >
>> > 2) Updates to the SELinux Test Suite adding SCTP tests. Please read the
>> >    selinux-testsuite/README.sctp for details. The patch is available from:
>> >          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>> >          selinux-testsuite-Add-SCTP-test-support.patch
>> >
>> > 3) Updates to lksctp-tools that show SELinux info in sctp_darn and
>> >    sctp_test. It also contains a minor patch for test_1_to_1_connect.c
>> >    as when CIPSO/CALIPSO configured, NetLabel returns a different error
>> >    code for illegal addresses in test 5. The patch is available from:
>> >          http://arctic.selinuxproject.org/~rhaines/selinux-sctp/
>> >          lksctp-tools-Add-SELinux-support-to-sctp_test-and-sc.patch
>> >
>> > All SCTP lksctp-tools/src/func_tests run correctly in enforcing mode.
>> >
>> > All SCTP regression tests "./sctp-tests run" run correctly in enforcing
>> > mode. These tests are obtained from: https://github.com/sctp/sctp-tests
>> >
>> > The selinux-testsuite patch also adds remote tests (that need some manual
>> > configuration). These are useful for testing CIPSO/CALIPSO over a network
>> > with a number of categories to produce large ip option fields with various
>> > message sizes forcing fragmentation etc..
>> >
>> > Changes since RFC Patch:
>> > Removed the NetLabel patch (was [RFC PATCH 4/5] netlabel: Add SCTP support)
>> > as re-engineered. However this patchset will require the NetLabel
>> > patch at [1] to fully run the SCTP selinux-testsuite.
>> >
>> > V1 Changes:
>> > PATCH 1/4
>> > Remove unused parameter from security_sctp_assoc_request().
>> > Reformat and update LSM-sctp.rst documentation.
>> > PATCH 2/4
>> > Add variables and RCU locks as requested in [2] to support IP options.
>> > PATCH 3/4
>> > Added security_sctp_assoc_request() hook to sctp_sf_do_unexpected_init()
>> > and sctp_sf_do_5_2_4_dupcook().
>> > Removed security_sctp_assoc_request() hook from sctp_sf_do_5_1C_ack() as
>> > no longer required.
>> > PATCH 4/4
>> > Reformat and update SELinux-sctp.rst documentation.
>> > Remove bindx and connectx permissions.
>> > Rework selinux_socket_connect() and selinux_netlbl_socket_connect() to
>> > utilise helpers for code reuse.
>> > Add spinlock to selinux_sctp_assoc_request().
>> > Remove unused parameter from security_sctp_assoc_request().
>> > Use address->sa_family == AF_INET in *_bind and *_connect to ensure
>> > correct address type.
>> > Minor cleanups.
>> >
>> > V2 Changes:
>> > PATCH 4/4 - Remove spin lock from selinux_sctp_assoc_request()
>> > PATCH 4/4 - Fix selinux_sctp_sk_clone() kbuild test robot catch [3]
>> >
>> > V3 Changes:
>> > PATCH 2/4 - Account for IP options length in sctp.h sctp_frag_point() by
>> > Marcelo
>> >
>> > V4 Changes:
>> > PATCH 1/4 - Move specific SELinux descriptions from LSM-sctp.rst and
>> > lsm_hooks.h to SELinux-sctp.rst in PATCH 4/4
>> > PATCH 4/4 - Rename selinux_netlbl_sctp_socket_connect() to
>> > selinux_netlbl_socket_connect_locked() and move description comments to
>> > selinux_sctp_bind_connect()
>> >
>> > [1] https://marc.info/?l=selinux&m=151061619115945&w=2
>> > [2] https://marc.info/?l=selinux&m=150962470215797&w=2
>> > [3] https://marc.info/?l=selinux&m=151198281817779&w=2
>>
>> SCTP folks, any objections?  I'm planning on merging these into
>> selinux-next after the next merge window so if you want to see any
>> changes, please speak up ...
>
> No objections from my side.

I figured not :)  Thanks again for all the review/feedback.

-- 
paul moore
www.paul-moore.com