diff --git a/private/bpfdomain.te b/private/bpfdomain.te
new file mode 100644
index 000000000..f0888a7f0
--- /dev/null
+++ b/private/bpfdomain.te
@@ -0,0 +1,13 @@
+# platform should have ownership of network attachpoints for BPF
+neverallow {
+  bpfdomain
+  -bpfloader
+  -netd
+  -netutils_wrapper
+  -network_stack
+  -system_server
+} self:global_capability_class_set { net_admin net_raw };
+
+# any domain which uses bpf is a bpfdomain
+neverallow { domain -bpfdomain } *:bpf *;
+
diff --git a/private/bpfloader.te b/private/bpfloader.te
index 3fbc8dcac..7644cac84 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -1,5 +1,7 @@
 type bpfloader_exec, system_file_type, exec_type, file_type;
 
+typeattribute bpfloader bpfdomain;
+
 # allow bpfloader to write to the kernel log (starts early)
 allow bpfloader kmsg_device:chr_file w_file_perms;
 
diff --git a/private/gpuservice.te b/private/gpuservice.te
index f20d932e6..35167d58a 100644
--- a/private/gpuservice.te
+++ b/private/gpuservice.te
@@ -1,5 +1,7 @@
 # gpuservice - server for gpu stats and other gpu related services
 typeattribute gpuservice coredomain;
+typeattribute gpuservice bpfdomain;
+
 type gpuservice_exec, system_file_type, exec_type, file_type;
 
 init_daemon_domain(gpuservice)
diff --git a/private/lmkd.te b/private/lmkd.te
index aee1b7f19..13828a4a0 100644
--- a/private/lmkd.te
+++ b/private/lmkd.te
@@ -1,4 +1,5 @@
 typeattribute lmkd coredomain;
+typeattribute lmkd bpfdomain;
 
 init_daemon_domain(lmkd)
 
diff --git a/private/mediaprovider_app.te b/private/mediaprovider_app.te
index 82dcdb2d6..bcbbfcc5f 100644
--- a/private/mediaprovider_app.te
+++ b/private/mediaprovider_app.te
@@ -1,7 +1,7 @@
 ###
 ### A domain for further sandboxing the MediaProvider mainline module.
 ###
-type mediaprovider_app, domain, coredomain;
+type mediaprovider_app, domain, coredomain, bpfdomain;
 
 app_domain(mediaprovider_app)
 
diff --git a/private/netd.te b/private/netd.te
index a0c8f8f07..10ba20e6b 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -1,4 +1,5 @@
 typeattribute netd coredomain;
+typeattribute netd bpfdomain;
 
 init_daemon_domain(netd)
 
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index cdc342db9..06aadc23a 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -1,4 +1,5 @@
 typeattribute netutils_wrapper coredomain;
+typeattribute netutils_wrapper bpfdomain;
 
 r_dir_file(netutils_wrapper, system_file);
 
diff --git a/private/network_stack.te b/private/network_stack.te
index 254688818..b1059382d 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,7 @@
 # Networking service app
-typeattribute network_stack coredomain, mlstrustedsubject;
+typeattribute network_stack coredomain;
+typeattribute network_stack mlstrustedsubject;
+typeattribute network_stack bpfdomain;
 
 app_domain(network_stack);
 net_domain(network_stack);
diff --git a/private/system_server.te b/private/system_server.te
index 79817ef4a..9de6cae60 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -8,6 +8,7 @@ typeattribute system_server mlstrustedsubject;
 typeattribute system_server scheduler_service_server;
 typeattribute system_server sensor_service_server;
 typeattribute system_server stats_service_server;
+typeattribute system_server bpfdomain;
 
 # Define a type for tmpfs-backed ashmem regions.
 tmpfs_domain(system_server)
diff --git a/public/attributes b/public/attributes
index b97bffc19..73861bdf4 100644
--- a/public/attributes
+++ b/public/attributes
@@ -219,6 +219,10 @@ attribute bluetoothdomain;
 # All domains used for binder service domains.
 attribute binderservicedomain;
 
+# All domains which have BPF access.
+attribute bpfdomain;
+expandattribute bpfdomain false;
+
 # update_engine related domains that need to apply an update and run
 # postinstall. This includes the background daemon and the sideload tool from
 # recovery for A/B devices.