blob: 07e4271f7973a0339aebe1d343e77f09eefdeb79 [file] [log] [blame]
# Bind to ports.
allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind;
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind;
allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind;
# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from
# untrusted_apps.
# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from
# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere
# to avoid app-compat breakage.
allow {
netdomain
-ephemeral_app
-mediaprovider
-priv_app
-sdk_sandbox
-untrusted_app_all
} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh };