private/bpfdomain.te - platform/system/sepolicy - Git at Google

 # platform should have ownership of network attachpoints for BPF
 neverallow {
   bpfdomain
   -bpfloader
   -netd
   -netutils_wrapper
   -network_stack
   -system_server
 } self:global_capability_class_set { net_admin net_raw };

 # any domain which uses bpf is a bpfdomain
 neverallow { domain -bpfdomain } *:bpf *;

 allow bpfdomain fs_bpf:dir search;
	# platform should have ownership of network attachpoints for BPF
	neverallow {
	bpfdomain
	-bpfloader
	-netd
	-netutils_wrapper
	-network_stack
	-system_server
	} self:global_capability_class_set { net_admin net_raw };

	# any domain which uses bpf is a bpfdomain
	neverallow { domain -bpfdomain } :bpf ;

	allow bpfdomain fs_bpf:dir search;