From 3b3e5c9eb0dc60fa30b4467c67ed2bb0bff28a71 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 20 Jun 2022 10:52:30 -0400
Subject: [PATCH 1/3] mcs: Add additional SysV IPC constraints.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/mcs | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/policy/mcs b/policy/mcs
index c9b7e83eb..e8006b115 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -120,7 +120,16 @@ mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 mlsconstrain key { create link read search setattr view write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain { ipc sem msgq shm } { create destroy setattr write unix_write }
+mlsconstrain { ipc sem msgq shm } { create destroy setattr read unix_read write unix_write }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain msg { send receive }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain msgq enqueue
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain shm lock
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain context contains

From 8e32ade524dfcf3991644f00201a78e058384a29 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 20 Jun 2022 10:54:46 -0400
Subject: [PATCH 2/3] mcs: Collapse constraints.

Collapse file constraints as they are equivalent due to the same expresssions.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/mcs | 36 ++++--------------------------------
 1 file changed, 4 insertions(+), 32 deletions(-)

diff --git a/policy/mcs b/policy/mcs
index e8006b115..af880058c 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -66,27 +66,14 @@ gen_levels(1,mcs_num_cats)
 #
 # Note:
 #  - getattr on dirs/files is not constrained.
-#  - /proc/pid operations are not constrained.
 
-mlsconstrain file { read ioctl lock execute execute_no_trans }
+mlsconstrain dir_file_class_set { open read ioctl lock write setattr append create unlink link rename relabelfrom relabelto }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain file { write setattr append unlink link rename }
+mlsconstrain file { execute execute_no_trans }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain dir { search read ioctl lock }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain dir { write setattr append unlink link rename add_name remove_name }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain fifo_file { open }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { lnk_file chr_file blk_file sock_file } { getattr read ioctl }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain { lnk_file chr_file blk_file sock_file } { write setattr }
+mlsconstrain dir { search add_name remove_name rmdir }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 # New filesystem object labels must be dominated by the relabeling subject
@@ -95,23 +82,8 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 	((( h1 dom h2 ) and ( l2 eq h2 )) or
 	 ( t1 != mcs_constrained_type ));
 
-# new file labels must be dominated by the relabeling subject clearance
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { relabelfrom }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
-mlsconstrain { dir file lnk_file chr_file blk_file sock_file fifo_file } { create relabelto }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { transition dyntransition }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { ptrace }
-	(( h1 dom h2) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { sigkill sigstop }
-	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
-
-mlsconstrain process { signal }
+mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
 mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind

From 5e6ede3da6572709f63d33fd8e442b617e7ce47b Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Mon, 20 Jun 2022 14:50:20 -0400
Subject: [PATCH 3/3] mcs: Add additional socket constraints.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
---
 policy/mcs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/policy/mcs b/policy/mcs
index af880058c..039ed224b 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -86,9 +86,21 @@ mlsconstrain { file lnk_file fifo_file } { create relabelto }
 mlsconstrain process { transition dyntransition ptrace sigkill sigstop signal }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain socket_class_set { create ioctl read write setattr append bind connect getopt setopt shutdown }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain stream_socket_class_set { listen accept }
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 mlsconstrain { tcp_socket udp_socket rawip_socket sctp_socket } node_bind
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
 
+mlsconstrain unix_stream_socket connectto
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
+mlsconstrain unix_dgram_socket sendto
+	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
 mlsconstrain key { create link read search setattr view write }
 	(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));