1*e4a36f41SAndroid Build Coastguard Worker# Bind to ports. 2*e4a36f41SAndroid Build Coastguard Workerallow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; 3*e4a36f41SAndroid Build Coastguard Workerallow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind; 4*e4a36f41SAndroid Build Coastguard Workerallow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from 7*e4a36f41SAndroid Build Coastguard Worker# untrusted_apps. 8*e4a36f41SAndroid Build Coastguard Worker# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from 9*e4a36f41SAndroid Build Coastguard Worker# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere 10*e4a36f41SAndroid Build Coastguard Worker# to avoid app-compat breakage. 11*e4a36f41SAndroid Build Coastguard Workerallow { 12*e4a36f41SAndroid Build Coastguard Worker netdomain 13*e4a36f41SAndroid Build Coastguard Worker -ephemeral_app 14*e4a36f41SAndroid Build Coastguard Worker -mediaprovider 15*e4a36f41SAndroid Build Coastguard Worker -priv_app 16*e4a36f41SAndroid Build Coastguard Worker -sdk_sandbox_all 17*e4a36f41SAndroid Build Coastguard Worker -untrusted_app_all 18*e4a36f41SAndroid Build Coastguard Worker} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh }; 19*e4a36f41SAndroid Build Coastguard Worker 20