1 files changed, 139 insertions, 0 deletions
diff --git a/src/net/spdnet.cil b/src/net/spdnet.cil
new file mode 100644
index 0000000..fdaa0ad
--- /dev/null
+++ b/src/net/spdnet.cil
@@ -0,0 +1,139 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(class association (polmatch recvfrom sendto setcontext))
+(classorder (unordered association))
+
+(macro polmatch_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (polmatch))))
+
+(macro polmatchsetcontext_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (polmatch setcontext))))
+
+(macro recvfrom_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (recvfrom))))
+
+(macro recvfromsendto_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (recvfrom sendto))))
+
+(macro sendto_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (sendto))))
+
+(macro setcontext_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (setcontext))))
+
+(tunableif invalid_associations
+	   (true
+
+	    (call association_invalid_sctp_sockets
+		  (invalidassociations.except.typeattr))
+	    (call recvfromsendto_invalid_associations
+		  (invalidassociations.except.typeattr))))
+
+(in invalid.unconfined
+
+    (allow typeattr .invalid (association (not (setcontext)))))
+
+(in mcs
+
+    (mlsconstrain (association (sendto recvfrom))
+		  (or (dom h1 h2)
+		      (and
+		       (neq t1 constrained.typeattr)
+		       (neq t2 constrained.typeattr)))))
+
+(in net
+
+    (blockinherit spd.template)
+
+    (block spd
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro polmatch_all_associations ((type ARG1))
+	       (allow ARG1 typeattr (association (polmatch))))
+
+	(macro polmatchsetcontext_all_associations ((type ARG1))
+	       (allow ARG1 typeattr (association (polmatch setcontext))))
+
+	(macro setcontext_all_associations ((type ARG1))
+	       (allow ARG1 typeattr (association (setcontext)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context spd_context (.sys.id .sys.role spd lowlevelrange))
+
+	(type spd)
+	(call .net.spd.type (spd)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro polmatch_spd_associations ((type ARG1))
+	       (allow ARG1 spd (association (polmatch))))
+
+	(macro polmatchsetcontext_spd_associations ((type ARG1))
+	       (allow ARG1 spd (association (polmatch setcontext))))
+
+	(macro setcontext_spd_associations ((type ARG1))
+	       (allow ARG1 spd (association (setcontext)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.spd.base_template)
+	(blockinherit .net.spd.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr spd.typeattr (association (polmatch setcontext))))))
+
+(in net.unconfined
+
+    (call .net.spd.unconfined.type (typeattr)))
+
+(in subj
+
+    (macro recvfrom_all_associations ((type ARG1))
+	   (allow ARG1 typeattr (association (recvfrom))))
+
+    (macro recvfromsendto_all_associations ((type ARG1))
+	   (allow ARG1 typeattr (association (recvfrom sendto))))
+
+    (macro sendto_all_associations ((type ARG1))
+	   (allow ARG1 typeattr (association (sendto)))))
+
+(in subj.macro_template
+
+    (macro recvfrom_subj_associations ((type ARG1))
+	   (allow ARG1 subj (association (recvfrom))))
+
+    (macro recvfromsendto_subj_associations ((type ARG1))
+	   (allow ARG1 subj (association (recvfrom sendto))))
+
+    (macro sendto_subj_associations ((type ARG1))
+	   (allow ARG1 subj (association (sendto)))))
+
+(in subj.unconfined
+
+    (allow typeattr .subj.typeattr (association (recvfrom sendto))))