diff --git a/private/bpfloader.te b/private/bpfloader.te
index de7e8a43d..33d37835b 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -47,8 +47,8 @@ neverallow { domain -bpfloader -gpuservice -lmkd                    -netd -netut
 neverallow { domain -bpfloader } bpffs_type:lnk_file ~read;
 neverallow { domain -bpfdomain } bpffs_type:lnk_file read;
 
-neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfdomain } *:bpf { map_read map_write prog_run };
+neverallow { domain -bpfloader } *:bpf prog_load;
+neverallow { domain -bpfdomain } *:bpf { map_create map_read map_write prog_run };
 
 # 'fs_bpf_loader' is for internal use of the BpfLoader oneshot boot time process.
 neverallow { domain -bpfloader } fs_bpf_loader:bpf *;
diff --git a/private/netd.te b/private/netd.te
index a466ef12c..37581a699 100644
--- a/private/netd.te
+++ b/private/netd.te
@@ -10,12 +10,14 @@ allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:dir
 allow netd { fs_bpf fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_vendor }:file { getattr read };
 allow netd { fs_bpf                      fs_bpf_netd_shared               }:file write;
 
-# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup, and read/write
-# the map created by bpfloader
-allow netd bpfloader:bpf { prog_run map_read map_write };
+# give netd permission to setup iptables rule with xt_bpf, attach program to cgroup,
+# create maps, and read/write maps created by bpfloader, itself and NS/SS mainline networking
+allow netd bpfloader:bpf prog_run;
+allow netd self:bpf map_create;
+allow netd { bpfloader netd network_stack system_server }:bpf { map_read map_write };
 
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
-# TODO: Remove this permission when 4.9 kernel is deprecated.
+# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
 # TODO: Remove this after we remove all bpf interactions from netd.
 allow netd self:key_socket create;
 
diff --git a/private/network_stack.te b/private/network_stack.te
index 7587c1f46..4450e02ba 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -45,6 +45,7 @@ allow network_stack radio_data_file:file create_file_perms;
 binder_call(network_stack, netd);
 
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
+# TODO: Still needed as of kernel 6.6-rc1 - see BpfUtils.h synchronizeKernelRCU()
 allow network_stack self:key_socket create;
 # Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100
 # calls if (fd.isSocket$()) if (isLingerSocket(fd)) ...
@@ -63,7 +64,10 @@ allow network_stack network_stack_service:service_manager find;
 # allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
 allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:dir search;
 allow network_stack { fs_bpf_net_private fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared fs_bpf_tethering }:file { getattr read write };
-allow network_stack bpfloader:bpf { map_read map_write prog_run };
+allow network_stack bpfloader:bpf prog_run;
+allow network_stack self:bpf map_create;
+allow network_stack { bpfloader netd network_stack system_server }:bpf { map_read map_write };
+
 # allow Tethering(network_stack process) to read flag value in tethering_u_or_later_native namespace
 get_prop(network_stack, device_config_tethering_u_or_later_native_prop)
 
diff --git a/private/system_server.te b/private/system_server.te
index 1ddb48a48..d05798d06 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1224,7 +1224,9 @@ with_asan(`
 # time in state accounting
 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:dir search;
 allow system_server { fs_bpf fs_bpf_net_shared fs_bpf_netd_readonly fs_bpf_netd_shared }:file { getattr read write };
-allow system_server bpfloader:bpf { map_read map_write prog_run };
+allow system_server bpfloader:bpf prog_run;
+allow system_server self:bpf map_create;
+allow system_server { bpfloader netd network_stack system_server }:bpf { map_read map_write };
 # in order to invoke side effect of close() on such a socket calling synchronize_rcu()
 allow system_server self:key_socket create;
 # Java's Os.close() in libcore/luni/src/main/java/libcore/io/BlockGuardOs.java;l=100