diff --git a/private/app_zygote.te b/private/app_zygote.te
index c111ac88e..5f200860f 100644
--- a/private/app_zygote.te
+++ b/private/app_zygote.te
@@ -70,6 +70,9 @@ r_dir_file(app_zygote, vendor_overlay_file)
 allow app_zygote system_data_file:lnk_file r_file_perms;
 allow app_zygote system_data_file:file { getattr read map };
 
+# Send unsolicited message to system_server
+unix_socket_send(app_zygote, system_unsolzygote, system_server)
+
 #####
 ##### Neverallow
 #####
@@ -136,6 +139,7 @@ neverallow app_zygote {
   domain
   -app_zygote
   -logd
+  -system_server
   userdebug_or_eng(`-su')
   userdebug_or_eng(`-heapprofd')
 }:unix_dgram_socket *;
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 76a8c6b7e..e96ded971 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -65,6 +65,7 @@
     system_group_file
     system_jvmti_agent_prop
     system_passwd_file
+    system_unsolzygote_socket
     tethering_service
     timezonedetector_service
     usb_serial_device
diff --git a/private/file_contexts b/private/file_contexts
index 560d1904b..96fd35bd0 100644
--- a/private/file_contexts
+++ b/private/file_contexts
@@ -465,6 +465,7 @@
 /data/backup(/.*)?		u:object_r:backup_data_file:s0
 /data/secure/backup(/.*)?	u:object_r:backup_data_file:s0
 /data/system/ndebugsocket	u:object_r:system_ndebug_socket:s0
+/data/system/unsolzygotesocket  u:object_r:system_unsolzygote_socket:s0
 /data/drm(/.*)?		u:object_r:drm_data_file:s0
 /data/resource-cache(/.*)? u:object_r:resourcecache_data_file:s0
 /data/dalvik-cache(/.*)? u:object_r:dalvikcache_data_file:s0
diff --git a/private/system_server.te b/private/system_server.te
index 8d4e4f81f..64419feca 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -14,6 +14,9 @@ tmpfs_domain(system_server)
 # Create a socket for connections from crash_dump.
 type_transition system_server system_data_file:sock_file system_ndebug_socket "ndebugsocket";
 
+# Create a socket for connections from zygotes.
+type_transition system_server system_data_file:sock_file system_unsolzygote_socket "unsolzygotesocket";
+
 allow system_server zygote_tmpfs:file read;
 allow system_server appdomain_tmpfs:file { getattr map read write };
 
@@ -657,6 +660,9 @@ get_prop(system_server, apk_verity_prop)
 # Create a socket for connections from debuggerd.
 allow system_server system_ndebug_socket:sock_file create_file_perms;
 
+# Create a socket for connections from zygotes.
+allow system_server system_unsolzygote_socket:sock_file create_file_perms;
+
 # Manage cache files.
 allow system_server cache_file:lnk_file r_file_perms;
 allow system_server { cache_file cache_recovery_file }:dir { relabelfrom create_dir_perms };
@@ -975,6 +981,16 @@ neverallow system_server *:process dyntransition;
 # Only allow crash_dump to connect to system_ndebug_socket.
 neverallow { domain -init -system_server -crash_dump } system_ndebug_socket:sock_file { open write };
 
+# Only allow zygotes to connect to system_unsolzygote_socket.
+neverallow {
+  domain
+  -init
+  -system_server
+  -zygote
+  -app_zygote
+  -webview_zygote
+} system_unsolzygote_socket:sock_file { open write };
+
 # Only allow init, system_server, flags_health_check to set properties for server configurable flags
 neverallow {
   domain
diff --git a/private/webview_zygote.te b/private/webview_zygote.te
index 8fe9733e5..c618253e5 100644
--- a/private/webview_zygote.te
+++ b/private/webview_zygote.te
@@ -77,6 +77,9 @@ allow webview_zygote same_process_hal_file:file { execute read open getattr map
 
 allow webview_zygote system_data_file:lnk_file r_file_perms;
 
+# Send unsolicited message to system_server
+unix_socket_send(webview_zygote, system_unsolzygote, system_server)
+
 #####
 ##### Neverallow
 #####
diff --git a/private/zygote.te b/private/zygote.te
index 6ad6db4e8..da06837dc 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -176,6 +176,9 @@ dontaudit zygote self:global_capability_class_set sys_resource;
 # Allow zygote to use ashmem fds from system_server.
 allow zygote system_server:fd use;
 
+# Send unsolicited message to system_server
+unix_socket_send(zygote, system_unsolzygote, system_server)
+
 ###
 ### neverallow rules
 ###
diff --git a/public/file.te b/public/file.te
index 3348fd47c..8cd515705 100644
--- a/public/file.te
+++ b/public/file.te
@@ -452,6 +452,7 @@ type rild_debug_socket, file_type;
 type statsdw_socket, file_type, coredomain_socket, mlstrustedobject;
 type system_wpa_socket, file_type, data_file_type, core_data_file_type, coredomain_socket;
 type system_ndebug_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
+type system_unsolzygote_socket, file_type, data_file_type, core_data_file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
 type tombstoned_java_trace_socket, file_type, mlstrustedobject;
 type tombstoned_intercept_socket, file_type, coredomain_socket;