1# Bind to ports. 2allow {netdomain -ephemeral_app -sdk_sandbox_all} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; 3allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:udp_socket name_bind; 4allow {netdomain -ephemeral_app -sdk_sandbox_all} port_type:tcp_socket name_bind; 5 6# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from 7# untrusted_apps. 8# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from 9# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere 10# to avoid app-compat breakage. 11allow { 12 netdomain 13 -ephemeral_app 14 -mediaprovider 15 -priv_app 16 -sdk_sandbox_all 17 -untrusted_app_all 18} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh }; 19 20### 21### Domain with network access 22### 23 24# Use network sockets. 25allow netdomain self:tcp_socket create_stream_socket_perms; 26allow netdomain self:{ icmp_socket udp_socket rawip_socket } create_socket_perms; 27 28# Connect to ports. 29allow netdomain port_type:tcp_socket name_connect; 30# See changes to the routing table. 31allow netdomain self:netlink_route_socket { create read getattr write setattr lock append connect getopt setopt shutdown nlmsg_read }; 32 33# Talks to netd via dnsproxyd socket. 34unix_socket_connect(netdomain, dnsproxyd, netd) 35 36# Talks to netd via fwmarkd socket. 37unix_socket_connect(netdomain, fwmarkd, netd) 38