prebuilts/api/202404/private/priv_app.te - LeafOS-Project/android_system_sepolicy - Gitiles

 ###
 ### A domain for further sandboxing privileged apps.
 ###

 typeattribute priv_app coredomain;
 app_domain(priv_app)

 # Access the network.
 net_domain(priv_app)
 # Access bluetooth.
 bluetooth_domain(priv_app)

 # Allow the allocation and use of ptys
 # Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
 create_pty(priv_app)

 # Allow loading executable code from writable priv-app home
 # directories. This is a W^X violation, however, it needs
 # to be supported for now for the following reasons.
 # * /data/user_*/0/*/code_cache/* POSSIBLE uses (b/117841367)
 #   1) com.android.opengl.shaders_cache
 #   2) com.android.skia.shaders_cache
 #   3) com.android.renderscript.cache
 # * /data/user_de/0/com.google.android.gms/app_chimera
 # TODO: Tighten (b/112357170)
 allow priv_app privapp_data_file:file execute;

 # Chrome Crashpad uses the the dynamic linker to load native executables
 # from an APK (b/112050209, crbug.com/928422)
 allow priv_app system_linker_exec:file execute_no_trans;

 allow priv_app privapp_data_file:lnk_file create_file_perms;

 # Priv apps can find services that expose both @SystemAPI and normal APIs.
 allow priv_app app_api_service:service_manager find;
 allow priv_app system_api_service:service_manager find;

 allow priv_app audioserver_service:service_manager find;
 allow priv_app cameraserver_service:service_manager find;
 allow priv_app drmserver_service:service_manager find;
 allow priv_app mediadrmserver_service:service_manager find;
 allow priv_app mediaextractor_service:service_manager find;
 allow priv_app mediametrics_service:service_manager find;
 allow priv_app mediaserver_service:service_manager find;
 allow priv_app music_recognition_service:service_manager find;
 allow priv_app network_watchlist_service:service_manager find;
 allow priv_app nfc_service:service_manager find;
 allow priv_app oem_lock_service:service_manager find;
 allow priv_app persistent_data_block_service:service_manager find;
 allow priv_app radio_service:service_manager find;
 allow priv_app recovery_service:service_manager find;
 allow priv_app stats_service:service_manager find;

 # Write to /cache.
 allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
 allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
 # /cache is a symlink to /data/cache on some devices. Allow reading the link.
 allow priv_app cache_file:lnk_file r_file_perms;

 # Access to /data/media.
 allow priv_app media_rw_data_file:dir create_dir_perms;
 allow priv_app media_rw_data_file:file create_file_perms;

 # Used by Finsky / Android "Verify Apps" functionality when
 # running "adb install foo.apk".
 allow priv_app shell_data_file:file r_file_perms;
 allow priv_app shell_data_file:dir r_dir_perms;

 # Allow traceur to pass file descriptors through a content provider to betterbug
 allow priv_app trace_data_file:file { getattr read };

 # Allow betterbug to read profile reports generated by profcollect.
 userdebug_or_eng(`
   allow priv_app profcollectd_data_file:file r_file_perms;
 ')

 # Allow the bug reporting frontend to read the presence and timestamp of the
 # trace attached to the bugreport (but not its contents, which will go in the
 # usual bugreport .zip file). This is used by the bug reporting UI to tell if
 # the bugreport will contain a system trace or not while the bugreport is still
 # in progress.
 allow priv_app wm_trace_data_file:dir r_dir_perms;
 allow priv_app wm_trace_data_file:file getattr;
 allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
 allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
 # Required to traverse the parent dir (/data/misc/perfetto-traces).
 allow priv_app perfetto_traces_data_file:dir { search };

 # Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
 # the framework (i.e. TracingServiceProxy) and sendfile them into their private
 # directories for reporting when network and battery conditions are
 # appropriate.
 allow priv_app perfetto:fd use;
 allow priv_app perfetto_traces_data_file:file { read getattr };

 # Allow verifier to access staged apks.
 allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
 allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;

 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };

 # /proc access
 allow priv_app {
   proc_vmstat
 }:file r_file_perms;

 allow priv_app sysfs_type:dir search;
 # Read access to /sys/block/zram*/mm_stat
 r_dir_file(priv_app, sysfs_zram)

 r_dir_file(priv_app, rootfs)

 # Allow com.android.vending to communicate with statsd.
 binder_call(priv_app, statsd)

 # Allow Phone to read/write cached ringtones (opened by system).
 allow priv_app ringtone_file:file { getattr read write };

 # Access to /data/preloads
 allow priv_app preloads_data_file:file r_file_perms;
 allow priv_app preloads_data_file:dir r_dir_perms;
 allow priv_app preloads_media_file:file r_file_perms;
 allow priv_app preloads_media_file:dir r_dir_perms;

 read_runtime_log_tags(priv_app)

 # Allow priv_apps to request and collect incident reports.
 # (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
 allow priv_app incident_service:service_manager find;
 binder_call(priv_app, incidentd)
 allow priv_app incidentd:fifo_file { read write };

 # Allow priv_apps to check whether Dynamic System Update is enabled
 get_prop(priv_app, dynamic_system_prop)

 # suppress denials for non-API accesses.
 dontaudit priv_app exec_type:file getattr;
 dontaudit priv_app device:dir read;
 dontaudit priv_app fs_bpf:dir search;
 dontaudit priv_app net_dns_prop:file read;
 dontaudit priv_app proc:file read;
 dontaudit priv_app proc_interrupts:file read;
 dontaudit priv_app proc_modules:file read;
 dontaudit priv_app proc_net:file read;
 dontaudit priv_app proc_stat:file read;
 dontaudit priv_app proc_version:file read;
 dontaudit priv_app sysfs:dir read;
 dontaudit priv_app sysfs:file read;
 dontaudit priv_app sysfs_android_usb:file read;
 dontaudit priv_app sysfs_dm:file r_file_perms;
 dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;

 # allow privileged apps to use UDP sockets provided by the system server but not
 # modify them other than to connect
 allow priv_app system_server:udp_socket {
         connect getattr read recvfrom sendto write getopt setopt };

 # allow apps like Phonesky to check the file signature of an apk installed on
 # the Incremental File System, fill missing blocks and get the app status and loading progress
 allowxperm priv_app apk_data_file:file ioctl {
   INCFS_IOCTL_READ_SIGNATURE
   INCFS_IOCTL_FILL_BLOCKS
   INCFS_IOCTL_GET_BLOCK_COUNT
   INCFS_IOCTL_GET_FILLED_BLOCKS
 };

 # allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
 allow priv_app incremental_control_file:file { read getattr ioctl };

 # allow apps like Phonesky to request permission to fill blocks of an apk file
 # on the Incremental File System.
 allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;

 # allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
 get_prop(priv_app, incremental_prop)

 # allow privileged apps to read the device config flags.
 get_prop(priv_app, device_config_aconfig_flags_prop)

 # allow privileged apps to read boot reason property
 get_prop(priv_app, system_boot_reason_prop)

 # Required for Phonesky to be able to read APEX files under /data/apex/active/.
 allow priv_app apex_data_file:dir search;
 allow priv_app staging_data_file:file r_file_perms;
 # Required for Phonesky to be able to read staged files under /data/app-staging.
 allow priv_app staging_data_file:dir r_dir_perms;

 # Allow com.android.vending to access files under vendor/apex as well as system apex files.
 # This is required for com.android.vending to handle APEXes for e.g. delta patch optimization.
 allow priv_app vendor_apex_file:dir r_dir_perms;
 allow priv_app vendor_apex_file:file r_file_perms;

 # allow priv app to access the system app data files for ContentProvider case.
 allow priv_app system_app_data_file:file { read getattr };

 # Allow the renderscript compiler to be run.
 domain_auto_trans(priv_app, rs_exec, rs)

 # Allow loading and deleting executable shared libraries
 # within an application home directory. Such shared libraries would be
 # created by things like renderscript or via other mechanisms.
 allow priv_app app_exec_data_file:file { r_file_perms execute unlink };

 # Allow privileged apps to create a VM. Note that access is still
 # guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
 # permission.
 virtualizationservice_use(priv_app)

 ###
 ### neverallow rules
 ###

 # Receive or send uevent messages.
 neverallow priv_app domain:netlink_kobject_uevent_socket *;

 # Receive or send generic netlink messages
 neverallow priv_app domain:netlink_socket *;

 # Read or write kernel printk buffer
 neverallow priv_app kmsg_device:chr_file no_rw_file_perms;

 # Too much leaky information in debugfs. It's a security
 # best practice to ensure these files aren't readable.
 neverallow priv_app debugfs_type:file read;

 # Do not allow privileged apps to register services.
 # Only trusted components of Android should be registering
 # services.
 neverallow priv_app service_manager_type:service_manager add;

 # Do not allow privileged apps to connect to the property service
 # or set properties. b/10243159
 neverallow priv_app property_socket:sock_file write;
 neverallow priv_app init:unix_stream_socket connectto;
 neverallow priv_app property_type:property_service set;

 # Do not allow priv_app to be assigned mlstrustedsubject.
 # This would undermine the per-user isolation model being
 # enforced via levelFrom=user in seapp_contexts and the mls
 # constraints.  As there is no direct way to specify a neverallow
 # on attribute assignment, this relies on the fact that fork
 # permission only makes sense within a domain (hence should
 # never be granted to any other domain within mlstrustedsubject)
 # and priv_app is allowed fork permission to itself.
 neverallow priv_app mlstrustedsubject:process fork;

 # Do not allow priv_app to hard link to any files.
 # In particular, if priv_app links to other app data
 # files, installd will not be able to guarantee the deletion
 # of the linked to file. Hard links also contribute to security
 # bugs, so we want to ensure priv_app never has this
 # capability.
 neverallow priv_app file_type:file link;

 # priv apps should not be able to open trace data files, they should depend
 # upon traceur to pass a file descriptor which they can then read
 neverallow priv_app trace_data_file:dir *;
 neverallow priv_app trace_data_file:file { no_w_file_perms open };

 # Do not allow priv_app access to cgroups.
 neverallow priv_app cgroup:file *;
 neverallow priv_app cgroup_v2:file *;

 # Do not allow loading executable code from non-privileged
 # application home directories. Code loading across a security boundary
 # is dangerous and allows a full compromise of a privileged process
 # by an unprivileged process. b/112357170
 neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;

 # Do not follow any app provided symlinks
 neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };

 # Do not allow getting permission-protected network information from sysfs.
 neverallow priv_app sysfs_net:file *;

 # Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
 # ioctl permission, or 3. disallow the socket class.
 neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
 neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
 neverallow priv_app *:{
   socket netlink_socket packet_socket key_socket appletalk_socket
   netlink_tcpdiag_socket netlink_nflog_socket
   netlink_xfrm_socket netlink_audit_socket
   netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
   netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
   netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
   netlink_rdma_socket netlink_crypto_socket sctp_socket
   ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
   atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
   bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
   alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
 } *;

 # Allow priv apps to report off body events to keystore2.
 allow priv_app keystore:keystore2 report_off_body;

 # Allow priv_apps to check if archiving is enabled
 get_prop(priv_app, pm_archiving_enabled_prop)
	###
	### A domain for further sandboxing privileged apps.
	###

	typeattribute priv_app coredomain;
	app_domain(priv_app)

	# Access the network.
	net_domain(priv_app)
	# Access bluetooth.
	bluetooth_domain(priv_app)

	# Allow the allocation and use of ptys
	# Used by: https://play.privileged.com/store/apps/details?id=jackpal.androidterm
	create_pty(priv_app)

	# Allow loading executable code from writable priv-app home
	# directories. This is a W^X violation, however, it needs
	# to be supported for now for the following reasons.
	# * /data/user_/0//code_cache/* POSSIBLE uses (b/117841367)
	# 1) com.android.opengl.shaders_cache
	# 2) com.android.skia.shaders_cache
	# 3) com.android.renderscript.cache
	# * /data/user_de/0/com.google.android.gms/app_chimera
	# TODO: Tighten (b/112357170)
	allow priv_app privapp_data_file:file execute;

	# Chrome Crashpad uses the the dynamic linker to load native executables
	# from an APK (b/112050209, crbug.com/928422)
	allow priv_app system_linker_exec:file execute_no_trans;

	allow priv_app privapp_data_file:lnk_file create_file_perms;

	# Priv apps can find services that expose both @SystemAPI and normal APIs.
	allow priv_app app_api_service:service_manager find;
	allow priv_app system_api_service:service_manager find;

	allow priv_app audioserver_service:service_manager find;
	allow priv_app cameraserver_service:service_manager find;
	allow priv_app drmserver_service:service_manager find;
	allow priv_app mediadrmserver_service:service_manager find;
	allow priv_app mediaextractor_service:service_manager find;
	allow priv_app mediametrics_service:service_manager find;
	allow priv_app mediaserver_service:service_manager find;
	allow priv_app music_recognition_service:service_manager find;
	allow priv_app network_watchlist_service:service_manager find;
	allow priv_app nfc_service:service_manager find;
	allow priv_app oem_lock_service:service_manager find;
	allow priv_app persistent_data_block_service:service_manager find;
	allow priv_app radio_service:service_manager find;
	allow priv_app recovery_service:service_manager find;
	allow priv_app stats_service:service_manager find;

	# Write to /cache.
	allow priv_app { cache_file cache_recovery_file }:dir create_dir_perms;
	allow priv_app { cache_file cache_recovery_file }:file create_file_perms;
	# /cache is a symlink to /data/cache on some devices. Allow reading the link.
	allow priv_app cache_file:lnk_file r_file_perms;

	# Access to /data/media.
	allow priv_app media_rw_data_file:dir create_dir_perms;
	allow priv_app media_rw_data_file:file create_file_perms;

	# Used by Finsky / Android "Verify Apps" functionality when
	# running "adb install foo.apk".
	allow priv_app shell_data_file:file r_file_perms;
	allow priv_app shell_data_file:dir r_dir_perms;

	# Allow traceur to pass file descriptors through a content provider to betterbug
	allow priv_app trace_data_file:file { getattr read };

	# Allow betterbug to read profile reports generated by profcollect.
	userdebug_or_eng(`
	allow priv_app profcollectd_data_file:file r_file_perms;
	')

	# Allow the bug reporting frontend to read the presence and timestamp of the
	# trace attached to the bugreport (but not its contents, which will go in the
	# usual bugreport .zip file). This is used by the bug reporting UI to tell if
	# the bugreport will contain a system trace or not while the bugreport is still
	# in progress.
	allow priv_app wm_trace_data_file:dir r_dir_perms;
	allow priv_app wm_trace_data_file:file getattr;
	allow priv_app perfetto_traces_bugreport_data_file:dir r_dir_perms;
	allow priv_app perfetto_traces_bugreport_data_file:file { getattr };
	# Required to traverse the parent dir (/data/misc/perfetto-traces).
	allow priv_app perfetto_traces_data_file:dir { search };

	# Allow priv apps (e.g. BetterBug) to receive Perfetto traces through
	# the framework (i.e. TracingServiceProxy) and sendfile them into their private
	# directories for reporting when network and battery conditions are
	# appropriate.
	allow priv_app perfetto:fd use;
	allow priv_app perfetto_traces_data_file:file { read getattr };

	# Allow verifier to access staged apks.
	allow priv_app { apk_tmp_file apk_private_tmp_file }:dir r_dir_perms;
	allow priv_app { apk_tmp_file apk_private_tmp_file }:file r_file_perms;

	# For AppFuse.
	allow priv_app vold:fd use;
	allow priv_app fuse_device:chr_file { read write };

	# /proc access
	allow priv_app {
	proc_vmstat
	}:file r_file_perms;

	allow priv_app sysfs_type:dir search;
	# Read access to /sys/block/zram*/mm_stat
	r_dir_file(priv_app, sysfs_zram)

	r_dir_file(priv_app, rootfs)

	# Allow com.android.vending to communicate with statsd.
	binder_call(priv_app, statsd)

	# Allow Phone to read/write cached ringtones (opened by system).
	allow priv_app ringtone_file:file { getattr read write };

	# Access to /data/preloads
	allow priv_app preloads_data_file:file r_file_perms;
	allow priv_app preloads_data_file:dir r_dir_perms;
	allow priv_app preloads_media_file:file r_file_perms;
	allow priv_app preloads_media_file:dir r_dir_perms;

	read_runtime_log_tags(priv_app)

	# Allow priv_apps to request and collect incident reports.
	# (Also requires DUMP and PACKAGE_USAGE_STATS permissions)
	allow priv_app incident_service:service_manager find;
	binder_call(priv_app, incidentd)
	allow priv_app incidentd:fifo_file { read write };

	# Allow priv_apps to check whether Dynamic System Update is enabled
	get_prop(priv_app, dynamic_system_prop)

	# suppress denials for non-API accesses.
	dontaudit priv_app exec_type:file getattr;
	dontaudit priv_app device:dir read;
	dontaudit priv_app fs_bpf:dir search;
	dontaudit priv_app net_dns_prop:file read;
	dontaudit priv_app proc:file read;
	dontaudit priv_app proc_interrupts:file read;
	dontaudit priv_app proc_modules:file read;
	dontaudit priv_app proc_net:file read;
	dontaudit priv_app proc_stat:file read;
	dontaudit priv_app proc_version:file read;
	dontaudit priv_app sysfs:dir read;
	dontaudit priv_app sysfs:file read;
	dontaudit priv_app sysfs_android_usb:file read;
	dontaudit priv_app sysfs_dm:file r_file_perms;
	dontaudit priv_app { wifi_prop wifi_config_prop wifi_hal_prop }:file read;

	# allow privileged apps to use UDP sockets provided by the system server but not
	# modify them other than to connect
	allow priv_app system_server:udp_socket {
	connect getattr read recvfrom sendto write getopt setopt };

	# allow apps like Phonesky to check the file signature of an apk installed on
	# the Incremental File System, fill missing blocks and get the app status and loading progress
	allowxperm priv_app apk_data_file:file ioctl {
	INCFS_IOCTL_READ_SIGNATURE
	INCFS_IOCTL_FILL_BLOCKS
	INCFS_IOCTL_GET_BLOCK_COUNT
	INCFS_IOCTL_GET_FILLED_BLOCKS
	};

	# allow privileged data loader apps (e.g. com.android.vending) to read logs from Incremental File System
	allow priv_app incremental_control_file:file { read getattr ioctl };

	# allow apps like Phonesky to request permission to fill blocks of an apk file
	# on the Incremental File System.
	allowxperm priv_app incremental_control_file:file ioctl INCFS_IOCTL_PERMIT_FILL;

	# allow privileged apps to read the vendor property that indicates if Incremental File System is enabled
	get_prop(priv_app, incremental_prop)

	# allow privileged apps to read the device config flags.
	get_prop(priv_app, device_config_aconfig_flags_prop)

	# allow privileged apps to read boot reason property
	get_prop(priv_app, system_boot_reason_prop)

	# Required for Phonesky to be able to read APEX files under /data/apex/active/.
	allow priv_app apex_data_file:dir search;
	allow priv_app staging_data_file:file r_file_perms;
	# Required for Phonesky to be able to read staged files under /data/app-staging.
	allow priv_app staging_data_file:dir r_dir_perms;

	# Allow com.android.vending to access files under vendor/apex as well as system apex files.
	# This is required for com.android.vending to handle APEXes for e.g. delta patch optimization.
	allow priv_app vendor_apex_file:dir r_dir_perms;
	allow priv_app vendor_apex_file:file r_file_perms;

	# allow priv app to access the system app data files for ContentProvider case.
	allow priv_app system_app_data_file:file { read getattr };

	# Allow the renderscript compiler to be run.
	domain_auto_trans(priv_app, rs_exec, rs)

	# Allow loading and deleting executable shared libraries
	# within an application home directory. Such shared libraries would be
	# created by things like renderscript or via other mechanisms.
	allow priv_app app_exec_data_file:file { r_file_perms execute unlink };

	# Allow privileged apps to create a VM. Note that access is still
	# guarded with the `android.permission.MANAGE_VIRTUAL_MACHINE`
	# permission.
	virtualizationservice_use(priv_app)

	###
	### neverallow rules
	###

	# Receive or send uevent messages.
	neverallow priv_app domain:netlink_kobject_uevent_socket *;

	# Receive or send generic netlink messages
	neverallow priv_app domain:netlink_socket *;

	# Read or write kernel printk buffer
	neverallow priv_app kmsg_device:chr_file no_rw_file_perms;

	# Too much leaky information in debugfs. It's a security
	# best practice to ensure these files aren't readable.
	neverallow priv_app debugfs_type:file read;

	# Do not allow privileged apps to register services.
	# Only trusted components of Android should be registering
	# services.
	neverallow priv_app service_manager_type:service_manager add;

	# Do not allow privileged apps to connect to the property service
	# or set properties. b/10243159
	neverallow priv_app property_socket:sock_file write;
	neverallow priv_app init:unix_stream_socket connectto;
	neverallow priv_app property_type:property_service set;

	# Do not allow priv_app to be assigned mlstrustedsubject.
	# This would undermine the per-user isolation model being
	# enforced via levelFrom=user in seapp_contexts and the mls
	# constraints. As there is no direct way to specify a neverallow
	# on attribute assignment, this relies on the fact that fork
	# permission only makes sense within a domain (hence should
	# never be granted to any other domain within mlstrustedsubject)
	# and priv_app is allowed fork permission to itself.
	neverallow priv_app mlstrustedsubject:process fork;

	# Do not allow priv_app to hard link to any files.
	# In particular, if priv_app links to other app data
	# files, installd will not be able to guarantee the deletion
	# of the linked to file. Hard links also contribute to security
	# bugs, so we want to ensure priv_app never has this
	# capability.
	neverallow priv_app file_type:file link;

	# priv apps should not be able to open trace data files, they should depend
	# upon traceur to pass a file descriptor which they can then read
	neverallow priv_app trace_data_file:dir *;
	neverallow priv_app trace_data_file:file { no_w_file_perms open };

	# Do not allow priv_app access to cgroups.
	neverallow priv_app cgroup:file *;
	neverallow priv_app cgroup_v2:file *;

	# Do not allow loading executable code from non-privileged
	# application home directories. Code loading across a security boundary
	# is dangerous and allows a full compromise of a privileged process
	# by an unprivileged process. b/112357170
	neverallow priv_app { app_data_file_type -privapp_data_file }:file no_x_file_perms;

	# Do not follow any app provided symlinks
	neverallow priv_app { app_data_file_type -privapp_data_file }:lnk_file { open read getattr };

	# Do not allow getting permission-protected network information from sysfs.
	neverallow priv_app sysfs_net:file *;

	# Restrict socket ioctls. Either 1. disallow privileged ioctls, 2. disallow the
	# ioctl permission, or 3. disallow the socket class.
	neverallowxperm priv_app domain:{ icmp_socket rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
	neverallow priv_app *:{ netlink_route_socket netlink_selinux_socket } ioctl;
	neverallow priv_app *:{
	socket netlink_socket packet_socket key_socket appletalk_socket
	netlink_tcpdiag_socket netlink_nflog_socket
	netlink_xfrm_socket netlink_audit_socket
	netlink_dnrt_socket netlink_kobject_uevent_socket tun_socket
	netlink_iscsi_socket netlink_fib_lookup_socket netlink_connector_socket
	netlink_netfilter_socket netlink_generic_socket netlink_scsitransport_socket
	netlink_rdma_socket netlink_crypto_socket sctp_socket
	ax25_socket ipx_socket netrom_socket atmpvc_socket x25_socket rose_socket decnet_socket
	atmsvc_socket rds_socket irda_socket pppox_socket llc_socket can_socket tipc_socket
	bluetooth_socket iucv_socket rxrpc_socket isdn_socket phonet_socket ieee802154_socket caif_socket
	alg_socket nfc_socket kcm_socket qipcrtr_socket smc_socket xdp_socket
	} *;

	# Allow priv apps to report off body events to keystore2.
	allow priv_app keystore:keystore2 report_off_body;

	# Allow priv_apps to check if archiving is enabled
	get_prop(priv_app, pm_archiving_enabled_prop)