diff --git a/BUILD.gn b/BUILD.gn
index 30206a9ebe132245fc0ce24a3446010bdcf45ec4..88cf9ef2c01f4871b980b113085bd5d299d52a5d 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -89,6 +89,7 @@ ohos_static_library("appspawn_server") {
   deps = [
     "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc",
     "//base/startup/init/interfaces/innerkits:libbegetutil",
+    "//foundation/communication/netmanager_base/services/netmanagernative/netsys_client:netsys_client",
     "//utils/native/base:utils",
   ]
   external_deps = [ "hiviewdfx_hilog_native:libhilog" ]
@@ -132,6 +133,7 @@ ohos_static_library("nwebspawn_server") {
   deps = [
     "//base/security/access_token/interfaces/innerkits/token_setproc:libtoken_setproc",
     "//base/startup/init/interfaces/innerkits:libbegetutil",
+    "//foundation/communication/netmanager_base/services/netmanagernative/netsys_client:netsys_client",
     "//utils/native/base:utils",
   ]
   external_deps = [ "hiviewdfx_hilog_native:libhilog" ]
diff --git a/common/appspawn_server.c b/common/appspawn_server.c
index d46161f717ade0d75d2db529c171e3a6bad87be4..8a8104344235cc646577e47780d1e3ed77270ed1 100644
--- a/common/appspawn_server.c
+++ b/common/appspawn_server.c
@@ -45,11 +45,36 @@ static void ProcessExit(void)
 #endif
 }
 
+#ifndef APPSPAWN_TEST
+#ifndef OHOS_LITE
+void DisallowInternet(void);
+#endif
+#endif
+
+static void SetInternetPermission(AppSpawnClient *client)
+{
+#ifndef APPSPAWN_TEST
+#ifndef OHOS_LITE
+    if (client == NULL) {
+        return;
+    }
+
+    APPSPAWN_LOGI("SetInternetPermission id %d setAllowInternet %hhu allowInternet %hhu", client->id,
+                  client->setAllowInternet, client->allowInternet);
+    if (client->setAllowInternet == 1 && client->allowInternet == 0) {
+        DisallowInternet();
+    }
+#endif
+#endif
+}
+
 int DoStartApp(struct AppSpawnContent_ *content, AppSpawnClient *client, char *longProcName, uint32_t longProcNameLen)
 {
     APPSPAWN_LOGI("DoStartApp id %d longProcNameLen %u", client->id, longProcNameLen);
     int32_t ret = 0;
 
+    SetInternetPermission(client);
+
     if (content->setAppSandbox) {
         ret = content->setAppSandbox(content, client);
         APPSPAWN_CHECK(ret == 0, NotifyResToParent(content, client, ret);
diff --git a/common/appspawn_server.h b/common/appspawn_server.h
index 7169347b4cbafab349f5030fa4584c4e53450853..39f46cdd5eec5a837dbcd8396a6aea43481a5501 100644
--- a/common/appspawn_server.h
+++ b/common/appspawn_server.h
@@ -40,6 +40,14 @@ extern "C" {
 typedef struct AppSpawnClient_ {
     uint32_t id;
     uint32_t flags;
+#ifndef APPSPAWN_TEST
+#ifndef OHOS_LITE
+    uint8_t setAllowInternet;
+    uint8_t allowInternet;
+    uint8_t reserved1;
+    uint8_t reserved2;
+#endif
+#endif
 } AppSpawnClient;
 
 #define MAX_SOCKEYT_NAME_LEN 128
diff --git a/interfaces/innerkits/include/appspawn_msg.h b/interfaces/innerkits/include/appspawn_msg.h
index 3ab90a6c64000c21798ec7e824fc4134f2622eee..946a72df9476db974755a04200c4f539b58fe02b 100644
--- a/interfaces/innerkits/include/appspawn_msg.h
+++ b/interfaces/innerkits/include/appspawn_msg.h
@@ -72,6 +72,14 @@ typedef struct AppParameter_ {
     int32_t pid;                     // query render process exited status by render process pid
     int32_t bundleIndex;
     AppOperateType code;
+#ifndef APPSPAWN_TEST
+#ifndef OHOS_LITE
+    uint8_t setAllowInternet;
+    uint8_t allowInternet; // hap sockect allowed
+    uint8_t reserved1;
+    uint8_t reserved2;
+#endif
+#endif
 } AppParameter;
 
 #ifdef __cplusplus
diff --git a/standard/appspawn_service.c b/standard/appspawn_service.c
index cdb8aaf87f5e95dadc07f02308a046fbb480899d..1456d03ba003fc24ff712a7f16a3ff82d4be52db 100644
--- a/standard/appspawn_service.c
+++ b/standard/appspawn_service.c
@@ -327,6 +327,16 @@ static void GetProcessTerminationStatus(AppSpawnClientExt *appProperty)
 }
 #endif
 
+APPSPAWN_STATIC void SetInternetPermission(AppSpawnClientExt *appProperty)
+{
+#ifndef APPSPAWN_TEST
+    if (appProperty->property.setAllowInternet == 1 && appProperty->property.allowInternet == 0) {
+        appProperty->client.setAllowInternet = 1;
+        appProperty->client.allowInternet = 0;
+    }
+#endif
+}
+
 APPSPAWN_STATIC void OnReceiveRequest(const TaskHandle taskHandle, const uint8_t *buffer, uint32_t buffLen)
 {
     APPSPAWN_CHECK(buffer != NULL && buffLen >= sizeof(AppParameter), LE_CloseTask(LE_GetDefaultLoop(), taskHandle);
@@ -352,6 +362,7 @@ APPSPAWN_STATIC void OnReceiveRequest(const TaskHandle taskHandle, const uint8_t
         return, "Invalid property %u", appProperty->property.gidCount);
     // special handle bundle name medialibrary and scanner
     HandleSpecial(appProperty);
+    SetInternetPermission(appProperty);
     if (g_appSpawnContent->timer != NULL) {
         LE_StopTimer(LE_GetDefaultLoop(), g_appSpawnContent->timer);
         g_appSpawnContent->timer = NULL;
@@ -420,6 +431,10 @@ APPSPAWN_STATIC int OnConnection(const LoopHandle loopHandle, const TaskHandle s
     client->stream = stream;
     client->client.id = ++clientId;
     client->client.flags = 0;
+#ifndef APPSPAWN_TEST
+    client->client.setAllowInternet = 0;
+    client->client.allowInternet = 1;
+#endif
     APPSPAWN_LOGI("OnConnection client fd %d Id %d", LE_GetSocketFd(stream), client->client.id);
 #ifdef APPSPAWN_TEST
     g_testClientHandle = stream;