1# Bind to ports. 2allow {netdomain -ephemeral_app -sdk_sandbox} node_type:{ icmp_socket rawip_socket tcp_socket udp_socket } node_bind; 3allow {netdomain -ephemeral_app -sdk_sandbox} port_type:udp_socket name_bind; 4allow {netdomain -ephemeral_app -sdk_sandbox} port_type:tcp_socket name_bind; 5 6# b/141455849 gate RTM_GETLINK with a new permission nlmsg_readpriv and block access from 7# untrusted_apps. 8# b/171572148 gate RTM_GETNEIGH{TBL} with a new permission nlmsg_getneigh and block access from 9# untrusted_apps. Some untrusted apps (e.g. untrusted_app_25-30) are granted access elsewhere 10# to avoid app-compat breakage. 11allow { 12 netdomain 13 -ephemeral_app 14 -mediaprovider 15 -sdk_sandbox 16 -untrusted_app_all 17} self:netlink_route_socket { bind nlmsg_readpriv nlmsg_getneigh }; 18 19