diff --git a/private/bpfloader.te b/private/bpfloader.te
index 0ad2c6b82..1d96b00af 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -68,7 +68,7 @@ neverallow {
 neverallow { domain -bpfloader -gpuservice -lmkd -mediaprovider_app -netd -network_stack -system_server -uprobestats } *:bpf { map_read map_write };
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
-neverallow { coredomain -bpfloader } fs_bpf_vendor:file *;
+neverallow { coredomain -bpfloader -netd -netutils_wrapper } fs_bpf_vendor:file *;
 
 neverallow bpfloader *:{ tcp_socket udp_socket rawip_socket } *;
 
diff --git a/private/netd.te b/private/netd.te
index 8be8212a8..6d1c10c09 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -6,9 +6,9 @@ init_daemon_domain(netd)
 # Allow netd to spawn dnsmasq in it's own domain
 domain_auto_trans(netd, dnsmasq_exec, dnsmasq)
 
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
-allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read };
-allow netd { fs_bpf                      fs_bpf_netd_shared }:file write;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netd { fs_bpf                      fs_bpf_netd_shared               }:file write;
 
 # give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
 # the map created by bpfloader
diff --git a/private/netutils_wrapper.te b/private/netutils_wrapper.te
index 01f191561..a26181fd7 100644
--- a/private/netutils_wrapper.te
+++ b/private/netutils_wrapper.te
@@ -25,9 +25,9 @@ binder_call(netutils_wrapper, netd);
 # For vendor code that update the iptables rules at runtime. They need to reload
 # the whole chain including the xt_bpf rules. They need to access to the pinned
 # program when reloading the rule.
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:dir search;
-allow netutils_wrapper { fs_bpf fs_bpf_netd_shared }:file { getattr read };
-allow netutils_wrapper { fs_bpf                    }:file write;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:dir search;
+allow netutils_wrapper { fs_bpf fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
+allow netutils_wrapper { fs_bpf                                  }:file write;
 allow netutils_wrapper bpfloader:bpf prog_run;
 
 # For /data/misc/net access to ndc and ip