/* These lists of binary access vectors match what the kernel expects */
#include <flask/security_classes.h>
#include <flask/initial_sids.h>
#include <flask/access_vectors.h>

/* Make sure we're running on a new enough kernel */
policycap network_peer_controls;

/* We have no attributes or booleans */

/* Only one type */
type any_t;

/* A few roles */
role obj_r;
role proc_r;
role nonet_r;

/* Allow each rule to assume the only type */
role obj_r   types any_t;
role proc_r  types any_t;
role nonet_r types any_t;

/* Completely disable type-enforcement */
allow any_t any_t:{ all_classes } *;

/* Only one "user" */
user any_u roles { obj_r proc_r nonet_r };

/* The below rules control what is or isn't allowed */

/* Make sure that "nonet" mode is unescapable */
constrain process { transition dyntransition noatsecure siginh rlimitinh } (
	(r1 == r2) or
	(r1 == proc_r and r2 == nonet_r)
);

/* 
 * Disallow various actions from nonet.  There are probably more hooks
 * missing from this list (see the very exhaustive list in the include file
 * <flask/access_vectors.h>), but they are trivial to add and very
 * straightforward.
 */
constrain tcp_socket { bind connect        } (r1 != nonet_r);
constrain udp_socket { bind connect sendto } (r1 != nonet_r);

// Default SIDs (Tell the kernel to label almost anything the same)
sid netmsg		any_u:obj_r:any_t
sid port		any_u:obj_r:any_t
sid node		any_u:obj_r:any_t
sid netif		any_u:obj_r:any_t
sid devnull		any_u:obj_r:any_t
sid file		any_u:obj_r:any_t
sid fs			any_u:obj_r:any_t
sid sysctl		any_u:obj_r:any_t
sid unlabeled		any_u:obj_r:any_t
sid any_socket		any_u:obj_r:any_t
sid file_labels		any_u:obj_r:any_t
sid icmp_socket		any_u:obj_r:any_t
sid igmp_packet		any_u:obj_r:any_t
sid init		any_u:obj_r:any_t
sid kmod		any_u:obj_r:any_t
sid policy		any_u:obj_r:any_t
sid scmp_packet		any_u:obj_r:any_t
sid sysctl_modprobe	any_u:obj_r:any_t
sid sysctl_fs		any_u:obj_r:any_t
sid sysctl_kernel	any_u:obj_r:any_t
sid sysctl_net		any_u:obj_r:any_t
sid sysctl_net_unix	any_u:obj_r:any_t
sid sysctl_vm		any_u:obj_r:any_t
sid sysctl_dev		any_u:obj_r:any_t
sid tcp_socket		any_u:obj_r:any_t
sid security		any_u:obj_r:any_t

// This label is used when the kernel starts new processes
sid kernel  any_u:proc_r:any_t

// No manual FS labels, everything should just pick up default SIDs