# platform should have ownership of network attachpoints for BPF neverallow { bpfdomain -bpfloader -netd -netutils_wrapper -network_stack -system_server } self:global_capability_class_set { net_admin net_raw }; # any domain which uses bpf is a bpfdomain neverallow { domain -bpfdomain } *:bpf *; allow bpfdomain fs_bpf:dir search;