diff --git a/private/bpfloader.te b/private/bpfloader.te
index 7c88be25c..954f8638f 100644
--- a/private/bpfloader.te
+++ b/private/bpfloader.te
@@ -27,8 +27,8 @@ neverallow { domain -bpfloader } fs_bpf:file create;
 neverallow domain fs_bpf:file { rename unlink };
 
 neverallow { domain -bpfloader } *:bpf { map_create prog_load };
-neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -system_server } *:bpf prog_run;
-neverallow { domain -bpfloader -gpuservice -netd -system_server } *:bpf { map_read map_write };
+neverallow { domain -bpfloader -gpuservice -netd -netutils_wrapper -network_stack -system_server } *:bpf prog_run;
+neverallow { domain -bpfloader -gpuservice -netd -network_stack -system_server } *:bpf { map_read map_write };
 
 neverallow { domain -bpfloader -init } bpfloader_exec:file { execute execute_no_trans };
 
diff --git a/private/network_stack.te b/private/network_stack.te
index 1295a070f..4768538e9 100644
--- a/private/network_stack.te
+++ b/private/network_stack.te
@@ -1,5 +1,5 @@
 # Networking service app
-typeattribute network_stack coredomain;
+typeattribute network_stack coredomain, mlstrustedsubject;
 
 app_domain(network_stack);
 net_domain(network_stack);
@@ -36,3 +36,7 @@ hal_client_domain(network_stack, hal_tetheroffload)
 # Create and share netlink_netfilter_sockets for tetheroffload.
 allow network_stack self:netlink_netfilter_socket create_socket_perms_no_ioctl;
 allow network_stack network_stack_service:service_manager find;
+# allow Tethering(network_stack process) to run/update/read the eBPF maps to offload tethering traffic by eBPF.
+allow network_stack fs_bpf:dir search;
+allow network_stack fs_bpf:file { read write };
+allow network_stack bpfloader:bpf { map_read map_write prog_run };
diff --git a/private/seapp_contexts b/private/seapp_contexts
index dedc3155e..929f07341 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -145,7 +145,7 @@ isSystemServer=true domain=system_server_startup
 user=_app isPrivApp=true name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
-user=network_stack seinfo=network_stack domain=network_stack levelFrom=all type=radio_data_file
+user=network_stack seinfo=network_stack domain=network_stack type=radio_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file