12 files changed, 1068 insertions, 0 deletions

diff --git a/src/net/ibnet.cil b/src/net/ibnet.cil
new file mode 100644
index 0000000..0851d62
--- /dev/null
+++ b/src/net/ibnet.cil
@@ -0,0 +1,15 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(in net
+
+    (call ib.unconfined.type (unconfined.typeattr))
+
+    (block ib
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr))))
diff --git a/src/net/ibnet/endportibnet.cil b/src/net/ibnet/endportibnet.cil
new file mode 100644
index 0000000..5494943
--- /dev/null
+++ b/src/net/ibnet/endportibnet.cil
@@ -0,0 +1,76 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(class infiniband_endport (manage_subnet))
+(classorder (unordered infiniband_endport))
+
+(macro managesubnet_invalid_endports ((type ARG1))
+       (allow ARG1 invalid (infiniband_endport (manage_subnet))))
+
+(in invalid.unconfined
+
+    (allow typeattr .invalid (infiniband_endport (all))))
+
+(in mcs
+
+    (mlsconstrain (infiniband_endport (manage_subnet))
+		  (or (dom h1 h2)
+		      (neq t1 constrained.typeattr))))
+
+(in net.ib
+
+    (blockinherit endport.template)
+
+    (block endport
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro managesubnet_all_endports ((type ARG1))
+	       (allow ARG1 typeattr (infiniband_endport (manage_subnet)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context endport_context (.sys.id .sys.role endport lowlevelrange))
+
+	(type endport)
+	(call .net.ib.endport.type (endport)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro managesubnet_endports ((type ARG1))
+	       (allow ARG1 endport (infiniband_endport (manage_subnet)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.ib.endport.base_template)
+	(blockinherit .net.ib.endport.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr endport.typeattr (infiniband_endport (all))))))
+
+(in net.ib.unconfined
+
+    (call .net.ib.endport.unconfined.type (typeattr)))
diff --git a/src/net/ibnet/pkeyibnet.cil b/src/net/ibnet/pkeyibnet.cil
new file mode 100644
index 0000000..7293864
--- /dev/null
+++ b/src/net/ibnet/pkeyibnet.cil
@@ -0,0 +1,76 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(class infiniband_pkey (access))
+(classorder (unordered infiniband_pkey))
+
+(macro access_invalid_pkeys ((type ARG1))
+       (allow ARG1 invalid (infiniband_pkey (access))))
+
+(in invalid.unconfined
+
+    (allow typeattr .invalid (infiniband_pkey (all))))
+
+(in mcs
+
+    (mlsconstrain (infiniband_pkey (access))
+		  (or (dom h1 h2)
+		      (neq t1 constrained.typeattr))))
+
+(in net.ib
+
+    (blockinherit pkey.template)
+
+    (block pkey
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro access_all_pkeys ((type ARG1))
+	       (allow ARG1 typeattr (infiniband_pkey (access)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context pkey_context (.sys.id .sys.role pkey lowlevelrange))
+
+	(type pkey)
+	(call .net.ib.pkey.type (pkey)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro access_pkeys ((type ARG1))
+	       (allow ARG1 pkey (infiniband_pkey (access)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.ib.pkey.base_template)
+	(blockinherit .net.ib.pkey.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr pkey.typeattr (infiniband_pkey (all))))))
+
+(in net.ib.unconfined
+
+    (call .net.ib.pkey.unconfined.type (typeattr)))
diff --git a/src/net/netifnet.cil b/src/net/netifnet.cil
new file mode 100644
index 0000000..6fc52db
--- /dev/null
+++ b/src/net/netifnet.cil
@@ -0,0 +1,101 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(sidcontext netif (sys.id sys.role net.netif lowlevelrange))
+
+(class netif (egress ingress))
+(classorder (unordered netif))
+
+(macro egress_invalid_netifs ((type ARG1))
+       (allow ARG1 invalid (netif (egress))))
+
+(macro egressingress_invalid_netifs ((type ARG1))
+       (allow ARG1 invalid (netif (egress ingress))))
+
+(macro ingress_invalid_netifs ((type ARG1))
+       (allow ARG1 invalid (netif (ingress))))
+
+(tunableif (or invalid_associations invalid_peers)
+	   (true
+
+	    (call net.netif.egressingress_all_netifs (invalid))))
+
+(in invalid.unconfined
+
+    (allow typeattr .invalid (netif (all))))
+
+(in mcs
+
+    (mlsconstrain (netif (egress ingress))
+		  (or (dom h1 h2)
+		      (neq t1 constrained.typeattr))))
+
+(in net
+
+    (blockinherit netif.template)
+
+    (block netif
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro egress_all_netifs ((type ARG1))
+	       (allow ARG1 typeattr (netif (egress))))
+
+	(macro egressingress_all_netifs ((type ARG1))
+	       (allow ARG1 typeattr (netif (egress ingress))))
+
+	(macro ingress_all_netifs ((type ARG1))
+	       (allow ARG1 typeattr (netif (ingress)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context netif_context (.sys.id .sys.role netif lowlevelrange))
+
+	(type netif)
+	(call .net.netif.type (netif)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro egress_netifs ((type ARG1))
+	       (allow ARG1 netif (netif (egress))))
+
+	(macro egressingress_netifs ((type ARG1))
+	       (allow ARG1 netif (netif (egress ingress))))
+
+	(macro ingress_netifs ((type ARG1))
+	       (allow ARG1 netif (netif (ingress)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.netif.base_template)
+	(blockinherit .net.netif.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr netif.typeattr (netif (all))))))
+
+(in net.unconfined
+
+    (call .net.netif.unconfined.type (typeattr)))
diff --git a/src/net/nodenet.cil b/src/net/nodenet.cil
new file mode 100644
index 0000000..a42df16
--- /dev/null
+++ b/src/net/nodenet.cil
@@ -0,0 +1,147 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(sidcontext node (sys.id sys.role net.netnode lowlevelrange))
+
+(class node (recvfrom sendto))
+(classorder (unordered node))
+
+(macro recvfrom_invalid_nodes ((type ARG1))
+       (allow ARG1 invalid (node (recvfrom))))
+
+(macro recvfromsendto_invalid_nodes ((type ARG1))
+       (allow ARG1 invalid (node (recvfrom sendto))))
+
+(macro sendto_invalid_nodes ((type ARG1))
+       (allow ARG1 invalid (node (sendto))))
+
+(tunableif (or invalid_associations invalid_peers)
+	   (true
+
+	    (call net.netnode.recvfromsendto_all_nodes (invalid))))
+
+(in invalid.unconfined
+
+    (allow typeattr .invalid (node (all))))
+
+(in mcs
+
+    (mlsconstrain (node (sendto))
+		  (or (dom h1 h2)
+		      (neq t1 constrained.typeattr)))
+
+    (mlsconstrain (node (recvfrom))
+		  (or (dom l1 l2)
+		      (neq t1 constrained.typeattr))))
+
+(in net
+
+    (blockinherit netnode.template)
+
+    (block netnode
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro nodebind_all_dccp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (dccp_socket (node_bind))))
+
+	(macro nodebind_all_icmp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (icmp_socket (node_bind))))
+
+	(macro nodebind_all_rawip_sockets ((type ARG1))
+	       (allow ARG1 typeattr (rawip_socket (node_bind))))
+
+	(macro nodebind_all_sctp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (sctp_socket (node_bind))))
+
+	(macro nodebind_all_tcp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (tcp_socket (node_bind))))
+
+	(macro nodebind_all_udp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (udp_socket (node_bind))))
+
+	(macro recvfrom_all_nodes ((type ARG1))
+	       (allow ARG1 typeattr (node (recvfrom))))
+
+	(macro recvfromsendto_all_nodes ((type ARG1))
+	       (allow ARG1 typeattr (node (recvfrom sendto))))
+
+	(macro sendto_all_nodes ((type ARG1))
+	       (allow ARG1 typeattr (node (sendto)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context netnode_context (.sys.id .sys.role netnode lowlevelrange))
+
+	(type netnode)
+	(call .net.netnode.type (netnode)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro nodebind_netnode_dccp_sockets ((type ARG1))
+	       (allow ARG1 netnode (dccp_socket (node_bind))))
+
+	(macro nodebind_netnode_icmp_sockets ((type ARG1))
+	       (allow ARG1 netnode (icmp_socket (node_bind))))
+
+	(macro nodebind_netnode_rawip_sockets ((type ARG1))
+	       (allow ARG1 netnode (rawip_socket (node_bind))))
+
+	(macro nodebind_netnode_sctp_sockets ((type ARG1))
+	       (allow ARG1 netnode (sctp_socket (node_bind))))
+
+	(macro nodebind_netnode_tcp_sockets ((type ARG1))
+	       (allow ARG1 netnode (tcp_socket (node_bind))))
+
+	(macro nodebind_netnode_udp_sockets ((type ARG1))
+	       (allow ARG1 netnode (udp_socket (node_bind))))
+
+	(macro recvfrom_nodes ((type ARG1))
+	       (allow ARG1 netnode (node (recvfrom))))
+
+	(macro recvfromsendto_nodes ((type ARG1))
+	       (allow ARG1 netnode (node (recvfrom sendto))))
+
+	(macro sendto_nodes ((type ARG1))
+	       (allow ARG1 netnode (node (sendto)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.netnode.base_template)
+	(blockinherit .net.netnode.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr netnode.typeattr (dccp_socket (node_bind)))
+	(allow typeattr netnode.typeattr (icmp_socket (node_bind)))
+	(allow typeattr netnode.typeattr (node (all)))
+	(allow typeattr netnode.typeattr (rawip_socket (node_bind)))
+	(allow typeattr netnode.typeattr (sctp_socket (node_bind)))
+	(allow typeattr netnode.typeattr (tcp_socket (node_bind)))
+	(allow typeattr netnode.typeattr (udp_socket (node_bind))))))
+
+(in net.unconfined
+
+    (call .net.netnode.unconfined.type (typeattr)))
diff --git a/src/net/packetnet.cil b/src/net/packetnet.cil
new file mode 100644
index 0000000..27e828e
--- /dev/null
+++ b/src/net/packetnet.cil
@@ -0,0 +1,168 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(class packet (forward_in forward_out recv relabelto send))
+(classorder (unordered packet))
+
+(macro forward_invalid_packets ((type ARG1))
+       (allow ARG1 invalid (packet (forward_in forward_out))))
+
+(macro forwardin_invalid_packets ((type ARG1))
+       (allow ARG1 invalid (packet (forward_in))))
+
+(macro forwardout_invalid_packets ((type ARG1))
+       (allow ARG1 invalid (packet (forward_out))))
+
+(macro recv_invalid_packets ((type ARG1))
+       (allow ARG1 invalid (packet (recv))))
+
+(macro recvsend_invalid_packets ((type ARG1))
+       (allow ARG1 invalid (packet (recv send))))
+
+(macro relabelto_invalid_packets ((type ARG1))
+       (allow ARG1 invalid (packet (relabelto))))
+
+(macro send_invalid_packets ((type ARG1))
+       (allow ARG1 invalid (packet (send))))
+
+(tunableif invalid_packets
+	   (true
+
+	    (call forward_invalid_packets (invalidpackets.except.typeattr))
+	    (call recvsend_invalid_packets (invalidpackets.except.typeattr))))
+
+(tunableif (or invalid_associations invalid_peers)
+	   (true
+
+	    (call forward_invalid_packets (invalid))
+
+	    (call net.packet.forward_all_packets (invalid))))
+
+(in ibac
+
+    (constrain (packet (relabelto))
+	       (or (or (or (eq u1 u2)
+			   (and (eq t1 objchangesys.typeattr) (eq u2 .sys.id)))
+		       (eq t1 objchange.typeattr))
+		   (eq t1 exempt.typeattr))))
+
+(in invalid.unconfined
+
+    (allow typeattr .invalid (packet (not relabelto))))
+
+(in mcs
+
+    (mlsconstrain (packet (relabelto))
+		  (or (neq t1 constrained.typeattr)
+		      (and (dom h1 h2) (eq l2 h2))))
+
+    (mlsconstrain (packet (forward_in forward_out send recv))
+		  (or (dom h1 h2)
+		      (and
+		       (neq t1 constrained.typeattr)
+		       (neq t2 constrained.typeattr)))))
+
+(in rbac
+
+    (constrain (packet (relabelto))
+	       (or (or (or (eq r1 r2)
+			   (and (eq t1 objchangesys.typeattr)
+				(eq r2 .sys.role)))
+		       (eq t1 objchange.typeattr))
+		   (eq t1 exempt.typeattr))))
+
+(in net
+
+    (blockinherit packet.template)
+
+    (block packet
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .mcs.constrained.type (typeattr))
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro forward_all_packets ((type ARG1))
+	       (allow ARG1 typeattr (packet (forward_in forward_out))))
+
+	(macro forwardin_all_packets ((type ARG1))
+	       (allow ARG1 typeattr (packet (forward_in))))
+
+	(macro forwardout_all_packets ((type ARG1))
+	       (allow ARG1 typeattr (packet (forward_out))))
+
+	(macro recv_all_packets ((type ARG1))
+	       (allow ARG1 typeattr (packet (recv))))
+
+	(macro recvsend_all_packets ((type ARG1))
+	       (allow ARG1 typeattr (packet (recv send))))
+
+	(macro relabelto_all_packets ((type ARG1))
+	       (allow ARG1 typeattr (packet (relabelto))))
+
+	(macro send_all_packets ((type ARG1))
+	       (allow ARG1 typeattr (packet (send)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context packet_context (.sys.id .sys.role packet lowlevelrange))
+
+	(type packet)
+	(call .net.packet.type (packet)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro forward_packets ((type ARG1))
+	       (allow ARG1 packet (packet (forward_in forward_out))))
+
+	(macro forwardin_packets ((type ARG1))
+	       (allow ARG1 packet (packet (forward_in))))
+
+	(macro forwardout_packets ((type ARG1))
+	       (allow ARG1 packet (packet (forward_out))))
+
+	(macro recv_packets ((type ARG1))
+	       (allow ARG1 packet (packet (recv))))
+
+	(macro recvsend_packets ((type ARG1))
+	       (allow ARG1 packet (packet (recv send))))
+
+	(macro relabelto_packets ((type ARG1))
+	       (allow ARG1 packet (packet (relabelto))))
+
+	(macro send_packets ((type ARG1))
+	       (allow ARG1 packet (packet (send)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.packet.base_template)
+	(blockinherit .net.packet.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr packet.typeattr (packet (all))))))
+
+(in net.unconfined
+
+    (call .net.packet.unconfined.type (typeattr)))
diff --git a/src/net/peernet.cil b/src/net/peernet.cil
new file mode 100644
index 0000000..23225b8
--- /dev/null
+++ b/src/net/peernet.cil
@@ -0,0 +1,110 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(sidcontext netmsg (sys.id sys.role net.peer lowlevelrange))
+
+(class peer (recv))
+(classorder (unordered peer))
+
+(macro recv_invalid_peers ((type ARG1))
+       (allow ARG1 invalid (peer (recv))))
+
+(tunableif invalid_peers
+	   (true
+
+	    (call association_invalid_sctp_sockets
+		  (invalidpeers.except.typeattr))
+	    (call recv_invalid_peers (invalidpeers.except.typeattr))))
+
+(in invalid.unconfined
+
+    (allow typeattr .invalid (peer (all))))
+
+(in mcs
+
+    (mlsconstrain (peer (recv))
+		  (or (dom h1 h2)
+		      (and
+		       (neq t1 constrained.typeattr)
+		       (neq t2 constrained.typeattr)))))
+
+(in net
+
+    (blockinherit peer.template)
+
+    (block peer
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .mcs.constrained.type (typeattr))
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro recv_all_peers ((type ARG1))
+	       (allow ARG1 typeattr (peer (recv))))
+
+	(macro association_all_sctp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (sctp_socket (association)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context peer_context (.sys.id .sys.role peer lowlevelrange))
+
+	(type peer)
+	(call .net.peer.type (peer)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro recv_peers ((type ARG1))
+	       (allow ARG1 peer (peer (recv))))
+
+	(macro association_peer_sctp_sockets ((type ARG1))
+	       (allow ARG1 peer (sctp_socket (association)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.peer.base_template)
+	(blockinherit .net.peer.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr peer.typeattr (peer (all)))
+	(allow typeattr peer.typeattr (sctp_socket (association))))))
+
+(in net.unconfined
+
+    (call .net.peer.unconfined.type (typeattr)))
+
+(in subj
+
+    (macro recv_all_peers ((type ARG1))
+	   (allow ARG1 typeattr (peer (recv)))))
+
+(in subj.macro_template
+
+    (macro recv_subj_peers ((type ARG1))
+	   (allow ARG1 subj (peer (recv)))))
+
+(in subj.unconfined
+
+    (allow typeattr .subj.typeattr (peer (recv))))
diff --git a/src/net/portnet.cil b/src/net/portnet.cil
new file mode 100644
index 0000000..434cf00
--- /dev/null
+++ b/src/net/portnet.cil
@@ -0,0 +1,115 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(sidcontext port (sys.id sys.role net.port lowlevelrange))
+
+(in net
+
+    (blockinherit port.template)
+
+    (block port
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro namebind_all_dccp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (dccp_socket (name_bind))))
+
+	(macro namebind_all_icmp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (icmp_socket (name_bind))))
+
+	(macro namebind_all_rawip_sockets ((type ARG1))
+	       (allow ARG1 typeattr (rawip_socket (name_bind))))
+
+	(macro namebind_all_sctp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (sctp_socket (name_bind))))
+
+	(macro namebind_all_tcp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (tcp_socket (name_bind))))
+
+	(macro namebind_all_udp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (udp_socket (name_bind))))
+
+	(macro nameconnect_all_dccp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (dccp_socket (name_connect))))
+
+	(macro nameconnect_all_sctp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (sctp_socket (name_connect))))
+
+	(macro nameconnect_all_tcp_sockets ((type ARG1))
+	       (allow ARG1 typeattr (tcp_socket (name_connect)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context port_context (.sys.id .sys.role port lowlevelrange))
+
+	(type port)
+	(call .net.port.type (port)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro namebind_port_dccp_sockets ((type ARG1))
+	       (allow ARG1 port (dccp_socket (name_bind))))
+
+	(macro namebind_port_icmp_sockets ((type ARG1))
+	       (allow ARG1 port (icmp_socket (name_bind))))
+
+	(macro namebind_port_rawip_sockets ((type ARG1))
+	       (allow ARG1 port (rawip_socket (name_bind))))
+
+	(macro namebind_port_sctp_sockets ((type ARG1))
+	       (allow ARG1 port (sctp_socket (name_bind))))
+
+	(macro namebind_port_tcp_sockets ((type ARG1))
+	       (allow ARG1 port (tcp_socket (name_bind))))
+
+	(macro namebind_port_udp_sockets ((type ARG1))
+	       (allow ARG1 port (udp_socket (name_bind))))
+
+	(macro nameconnect_port_dccp_sockets ((type ARG1))
+	       (allow ARG1 port (dccp_socket (name_connect))))
+
+	(macro nameconnect_port_sctp_sockets ((type ARG1))
+	       (allow ARG1 port (sctp_socket (name_connect))))
+
+	(macro nameconnect_port_tcp_sockets ((type ARG1))
+	       (allow ARG1 port (tcp_socket (name_connect)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.port.base_template)
+	(blockinherit .net.port.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr port.typeattr (dccp_socket (name_bind name_connect)))
+	(allow typeattr port.typeattr (icmp_socket (name_bind)))
+	(allow typeattr port.typeattr (rawip_socket (name_bind)))
+	(allow typeattr port.typeattr (sctp_socket (name_bind name_connect)))
+	(allow typeattr port.typeattr (tcp_socket (name_bind name_connect)))
+	(allow typeattr port.typeattr (udp_socket (name_bind))))))
+
+(in net.unconfined
+
+    (call .net.port.unconfined.type (typeattr)))
diff --git a/src/net/portnet/ephemeralportnet.cil b/src/net/portnet/ephemeralportnet.cil
new file mode 100644
index 0000000..d49ca15
--- /dev/null
+++ b/src/net/portnet/ephemeralportnet.cil
@@ -0,0 +1,39 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block ephemeral
+
+  (portcon "dccp" (32768 60999) port_context)
+  (portcon "sctp" (32768 60999) port_context)
+  (portcon "tcp" (32768 60999) port_context)
+  (portcon "udp" (32768 60999) port_context)
+
+  (blockinherit .net.port.ephemeral.template))
+
+(in net.port
+
+    (block ephemeral
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (blockinherit .net.port.all_macro_template)
+
+      (typeattribute typeattr)
+
+      (call .net.port.type (typeattr))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(blockinherit .net.port.base_template)
+
+	(call .net.port.ephemeral.type (port)))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.port.ephemeral.base_template)
+	(blockinherit .net.port.macro_template))))
diff --git a/src/net/portnet/reservedportnet.cil b/src/net/portnet/reservedportnet.cil
new file mode 100644
index 0000000..6ab315b
--- /dev/null
+++ b/src/net/portnet/reservedportnet.cil
@@ -0,0 +1,39 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block reserved
+
+  (portcon "dccp" (1 1023) port_context)
+  (portcon "sctp" (1 1023) port_context)
+  (portcon "tcp" (1 1023) port_context)
+  (portcon "udp" (1 1023) port_context)
+
+  (blockinherit .net.port.reserved.template))
+
+(in net.port
+
+    (block reserved
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (blockinherit .net.port.all_macro_template)
+
+      (typeattribute typeattr)
+
+      (call .net.port.type (typeattr))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(blockinherit .net.port.base_template)
+
+	(call .net.port.reserved.type (port)))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.port.macro_template)
+	(blockinherit .net.port.reserved.base_template))))
diff --git a/src/net/portnet/unreservedportnet.cil b/src/net/portnet/unreservedportnet.cil
new file mode 100644
index 0000000..24efa73
--- /dev/null
+++ b/src/net/portnet/unreservedportnet.cil
@@ -0,0 +1,43 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(block unreserved
+
+  (portcon "dccp" (1024 32767) port_context)
+  (portcon "dccp" (61000 65535) port_context)
+  (portcon "sctp" (1024 32767) port_context)
+  (portcon "sctp" (61000 65535) port_context)
+  (portcon "tcp" (1024 32767) port_context)
+  (portcon "tcp" (61000 65535) port_context)
+  (portcon "udp" (1024 32767) port_context)
+  (portcon "udp" (61000 65535) port_context)
+
+  (blockinherit .net.port.unreserved.template))
+
+(in net.port
+
+    (block unreserved
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (blockinherit .net.port.all_macro_template)
+
+      (typeattribute typeattr)
+
+      (call .net.port.type (typeattr))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(blockinherit .net.port.base_template)
+
+	(call .net.port.unreserved.type (port)))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.port.macro_template)
+	(blockinherit .net.port.unreserved.base_template))))
diff --git a/src/net/spdnet.cil b/src/net/spdnet.cil
new file mode 100644
index 0000000..fdaa0ad
--- /dev/null
+++ b/src/net/spdnet.cil
@@ -0,0 +1,139 @@
+;; SPDX-FileCopyrightText: © 2023 Dominick Grift <dominick.grift@defensec.nl>
+;; SPDX-License-Identifier: Unlicense
+
+(class association (polmatch recvfrom sendto setcontext))
+(classorder (unordered association))
+
+(macro polmatch_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (polmatch))))
+
+(macro polmatchsetcontext_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (polmatch setcontext))))
+
+(macro recvfrom_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (recvfrom))))
+
+(macro recvfromsendto_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (recvfrom sendto))))
+
+(macro sendto_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (sendto))))
+
+(macro setcontext_invalid_associations ((type ARG1))
+       (allow ARG1 invalid (association (setcontext))))
+
+(tunableif invalid_associations
+	   (true
+
+	    (call association_invalid_sctp_sockets
+		  (invalidassociations.except.typeattr))
+	    (call recvfromsendto_invalid_associations
+		  (invalidassociations.except.typeattr))))
+
+(in invalid.unconfined
+
+    (allow typeattr .invalid (association (not (setcontext)))))
+
+(in mcs
+
+    (mlsconstrain (association (sendto recvfrom))
+		  (or (dom h1 h2)
+		      (and
+		       (neq t1 constrained.typeattr)
+		       (neq t2 constrained.typeattr)))))
+
+(in net
+
+    (blockinherit spd.template)
+
+    (block spd
+
+      (macro type ((type ARG1))
+	     (typeattributeset typeattr ARG1))
+
+      (typeattribute typeattr)
+
+      (blockinherit all_macro_template)
+
+      (call .obj.type (typeattr))
+
+      (block all_macro_template
+
+	(blockabstract all_macro_template)
+
+	(macro polmatch_all_associations ((type ARG1))
+	       (allow ARG1 typeattr (association (polmatch))))
+
+	(macro polmatchsetcontext_all_associations ((type ARG1))
+	       (allow ARG1 typeattr (association (polmatch setcontext))))
+
+	(macro setcontext_all_associations ((type ARG1))
+	       (allow ARG1 typeattr (association (setcontext)))))
+
+      (block base_template
+
+	(blockabstract base_template)
+
+	(context spd_context (.sys.id .sys.role spd lowlevelrange))
+
+	(type spd)
+	(call .net.spd.type (spd)))
+
+      (block macro_template
+
+	(blockabstract macro_template)
+
+	(macro polmatch_spd_associations ((type ARG1))
+	       (allow ARG1 spd (association (polmatch))))
+
+	(macro polmatchsetcontext_spd_associations ((type ARG1))
+	       (allow ARG1 spd (association (polmatch setcontext))))
+
+	(macro setcontext_spd_associations ((type ARG1))
+	       (allow ARG1 spd (association (setcontext)))))
+
+      (block template
+
+	(blockabstract template)
+
+	(blockinherit .net.spd.base_template)
+	(blockinherit .net.spd.macro_template))
+
+      (block unconfined
+
+	(macro type ((type ARG1))
+	       (typeattributeset typeattr ARG1))
+
+	(typeattribute typeattr)
+
+	(allow typeattr spd.typeattr (association (polmatch setcontext))))))
+
+(in net.unconfined
+
+    (call .net.spd.unconfined.type (typeattr)))
+
+(in subj
+
+    (macro recvfrom_all_associations ((type ARG1))
+	   (allow ARG1 typeattr (association (recvfrom))))
+
+    (macro recvfromsendto_all_associations ((type ARG1))
+	   (allow ARG1 typeattr (association (recvfrom sendto))))
+
+    (macro sendto_all_associations ((type ARG1))
+	   (allow ARG1 typeattr (association (sendto)))))
+
+(in subj.macro_template
+
+    (macro recvfrom_subj_associations ((type ARG1))
+	   (allow ARG1 subj (association (recvfrom))))
+
+    (macro recvfromsendto_subj_associations ((type ARG1))
+	   (allow ARG1 subj (association (recvfrom sendto))))
+
+    (macro sendto_subj_associations ((type ARG1))
+	   (allow ARG1 subj (association (sendto)))))
+
+(in subj.unconfined
+
+    (allow typeattr .subj.typeattr (association (recvfrom sendto))))