[redhat-lspp] [RFC] UDP secpeer design document (Version 2)

Catherine Zhang czhang.us at gmail.com
Fri Nov 11 22:16:38 UTC 2005 

Hi, everyone,

Thanks for all your suggestions (in particular, James Morris and
Roland McGrath).  I have updated the design document taking into your
suggestions.

As always comments are appreciated!

regards,
Catherine
IBM Research

----------------------
1. Purpose

The goal is to provide the API for an application to retrieve the
security context of the peer for the UDP protocol.  We would like to
achieve this without labelling individual skbuff.


2. Background

Unlike TCP, UDP is connectionless.  This requires a somewhat different
API to retrieve the peer security context.  With TCP, the peer
security context stays the same throughout the connection, thus it can
be retrieved at any time between when the connection is established
and when it is torn down.  With UDP, each read/write can have
different peer and thus the security context might change every time.
As a result the security context retrieval must be done TOGETHER with
the packet retrieval.


3. Design

We decide to build upon the existing Unix domain socket API for
retrieving user credentials.  Linux offers the API for obtaining user
credentials via ancillary messages (i.e., out of band/control messages
that are bundled together with a normal message).  We discuss the
trade off of this approach below:

Pros:
- The security context is retrieved at the same time when the
  packet is read.
- Better acceptability because the API already exists for Unix domain
  sockets.

Cons:
- Using ancillary messages for passing credentials is not supported
  on every Unix platform.  Thus it is not portable.

An example server application for UDP should look like this:

setsockopt(sockfd, SOL_SOCKET, SO_PASSSEC, optbuf, &optlen);
recvmsg(sockfd, &msg_hdr, 0);
if (msg_hdr.msg_controllen > sizeof(struct cmsghdr)) {
    cmsg_hdr = CMSG_FIRSTHDR(&msg_hdr);
    if (cmsg_hdr->cmsg_len == CMSG_LEN(sizeof(struct ucred)) &&
        cmsg_hdr->cmsg_level == SOL_SOCKET &&
        cmsg_hdr->cmsg_type == SCM_SECURITY) {
        memcpy(&sec_ctx, CMSG_DATA(cmsg_hdr), sizeof(security_context));
    }
}

switch (sec_ctx) {
  case "normal_u:...": // fork a normal_u process;
  case "special_u:...": // fork a special_u process;
  ...
}


4. Implementation

We need to add a new socket option SO_PASSSEC to allow a server socket
to receive security context of the peer.

We need to add a new ancillary message type SCM_SECURITY.

When the packet is received we get the security context from the
sec_path pointer which is contained in the skbuff, and copy it to the
ancillary message space.

More information about the redhat-lspp mailing list