RFE: Add SCM_SECURITY support to IPv6

Question

RFE: Add SCM_SECURITY support to IPv6

stephensmalley opened this issue 8 years ago · 5 comments

As reported by Richard Haines, IPv6 stream sockets support SO_PEERCON, but IPv6 datagram sockets do not currently support SCM_SECURITY, unlike IPv4 datagram sockets. For IPv4, the support is implemented in net/ipv4/ip_sockglue.c:ip_cmsg_rcv_security(). We would need to implement similar support in the ipv6 code.

Answer 1 · 2016-12-15T23:56:44.000Z

Some initial thoughts from a few minutes of looking at this:

We will need to modify do_ipv6_setsockopt() and do_ipv6_getsockopt() to understand IP_PASSSEC, or similar (IPV6_PASSSEC?), and set/get a bit in the ipv6_pinfo.rxopts.bits structure.
Add support for sending the SCM_SECURITY cmsg via ip6_datagram_recv_common_ctl() or ip6_datagram_recv_specific_ctl().

Answer 2 · 2016-12-16T00:31:00.000Z

Unfortunately it doesn't look like we will be able to use SCM_SECURITY with IPv6, in fact we probably shouldn't have used it with IPv4 either, but it looks like we got lucky; SOL_IP/SCM_SECURITY conflicts with SOL_IP/IP_HDRINCL but since IP_HDRINCL is never used in a cmsg it doesn't present a problem in practice.

Looking at the rest of the IPv6 code, it looks like convention is to reuse the socket option as the cmsg type, that's probably our best bet.

Answer 3 · 2016-12-16T00:41:30.000Z

Completely untested, but this should give some idea about what I'm thinking:

https://gist.github.com/pcmoore/f0d157c39d7930a8a8377555085f0e77

Answer 4 · 2016-12-16T14:13:20.000Z

That's odd; why would SCM_ and IP_ be in the same namespace?
Is it because SCM_* was originally only for UNIX sockets?
In any event, now that Richard has added IPv6 support to selinux-testsuite, it should be easy to update for this.

Answer 5 · 2016-12-16T17:29:08.000Z

sds> That's odd; why would SCM_ and IP_ be in the same namespace?

Exactly, SCM_SECURITY never should have been used here. The change dates back to 2006:

commit 2c7946a7bf45ae86736ab3b43d0085e43947945c
Author: Catherine Zhang <cxzhang@watson.ibm.com>
Date:   Mon Mar 20 22:41:23 2006 -0800

[SECURITY]: TCP/UDP getpeersec

This patch implements an application of the LSM-IPSec networking
controls whereby an application can determine the label of the
security association its TCP or UDP sockets are currently connected to
via getsockopt and the auxiliary data mechanism of recvmsg ...

Evidently no one was checking IBM's work very closely during that time period as there was also that IKEv1 ECN conflict.

sds> Is it because SCM_* was originally only for UNIX sockets?

I would think so, but this predates my serious involvement in the labeled networking area.

sds> In any event, now that Richard has added IPv6 support to selinux-testsuite,
sds> it should be easy to update for this.

Agreed.