diff --git a/private/untrusted_app.te b/private/untrusted_app.te
index 68c1a41bd19c50f3e2e9d8bc3c0d7d6f9e52b155..93a73f143b75eaabcb03925b62f73767d1a0acc5 100644
--- a/private/untrusted_app.te
+++ b/private/untrusted_app.te
@@ -24,6 +24,14 @@ untrusted_app_domain(untrusted_app)
 net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 
+# allow untrusted apps to use UDP sockets provided by the system server but not
+# modify them other than to connect
+allow untrusted_app system_server:udp_socket { connect getattr read recvfrom sendto write };
+
 # Allow the allocation and use of ptys
 # Used by: https://play.google.com/store/apps/details?id=jackpal.androidterm
 create_pty(untrusted_app)
+
+neverallow untrusted_app system_server:udp_socket {
+        accept append bind create getopt ioctl listen lock name_bind
+        relabelfrom relabelto setattr setopt shutdown };