diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 588c138a4d5e24fdb5f846ef88eaa42bc796033a..8ddefa1f4f7af4eb0b15d48e26a4e63591c5245c 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -121,6 +121,7 @@
     mnt_product_file
     mnt_vendor_file
     netd_stable_secret_prop
+    network_stack
     network_watchlist_data_file
     network_watchlist_service
     overlayfs_file
diff --git a/private/compat/27.0/27.0.ignore.cil b/private/compat/27.0/27.0.ignore.cil
index e63d2268d673ab4b9c90bb19bd1b31b6a5f3d49d..994fb072782ebcc03843709b086aee91d71bc8c5 100644
--- a/private/compat/27.0/27.0.ignore.cil
+++ b/private/compat/27.0/27.0.ignore.cil
@@ -109,6 +109,7 @@
     metadata_file
     mnt_product_file
     mnt_vendor_file
+    network_stack
     network_watchlist_data_file
     network_watchlist_service
     overlayfs_file
diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index 222f381c09b8dc376a1cad39b5ae6a26043ce276..1131cbd99de2f72ce75ed950d7ea33ac500f6311 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -62,6 +62,7 @@
     mediaswcodec_exec
     mediaswcodec_tmpfs
     mnt_product_file
+    network_stack
     overlayfs_file
     permissionmgr_service
     recovery_socket
diff --git a/private/network_stack.te b/private/network_stack.te
new file mode 100644
index 0000000000000000000000000000000000000000..d250ebd0483692c7910876aabd26a50e9a3071af
--- /dev/null
+++ b/private/network_stack.te
@@ -0,0 +1,25 @@
+# Networking service app
+typeattribute network_stack coredomain;
+
+app_domain(network_stack);
+net_domain(network_stack);
+
+allow network_stack self:global_capability_class_set {
+    net_admin
+    net_bind_service
+    net_broadcast
+    net_raw
+};
+
+# Allow access to net_admin ioctl, DHCP server uses SIOCSARP
+allowxperm network_stack self:udp_socket ioctl priv_sock_ioctls;
+
+# The DhcpClient uses packet_sockets
+allow network_stack self:packet_socket create_socket_perms_no_ioctl;
+
+allow network_stack activity_service:service_manager find;
+allow network_stack netd_service:service_manager find;
+allow network_stack wifi_service:service_manager find;
+allow network_stack connmetrics_service:service_manager find;
+
+binder_call(network_stack, netd);
diff --git a/private/seapp_contexts b/private/seapp_contexts
index 55391ea36ba96d2e9a695e76825aabf8cfbab374..37f787284e4db1e63a883938e85cd5a94ecadb99 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -106,6 +106,7 @@ isSystemServer=true domain=system_server_startup
 user=_app seinfo=platform name=com.android.traceur domain=traceur_app type=app_data_file levelFrom=all
 user=system seinfo=platform domain=system_app type=system_app_data_file
 user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
+user=network_stack seinfo=platform name=com.google.android.networkstack domain=network_stack levelFrom=all
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
diff --git a/public/app.te b/public/app.te
index 94acac7548ccd41a7f0f7aa64f9701d8c9a35426..0a5f0b4e725723fa2036674be91cdda8b6e865a4 100644
--- a/public/app.te
+++ b/public/app.te
@@ -358,8 +358,8 @@ allow appdomain dropbox_data_file:file { getattr read };
 ###
 
 # Superuser capabilities.
-# bluetooth requires net_admin and wake_alarm.
-neverallow { appdomain -bluetooth } self:capability_class_set *;
+# bluetooth requires net_admin and wake_alarm. network stack app requires net_admin.
+neverallow { appdomain -bluetooth -network_stack } self:capability_class_set *;
 
 # Block device access.
 neverallow appdomain dev_type:blk_file { read write };
diff --git a/public/netd.te b/public/netd.te
index 241380b2149c16dd5a79b6fc1c573b4235d796d2..10f1959972d69565b407ae9b3a1c89045fbc8c32 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -130,14 +130,20 @@ neverallow netd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow netd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;
 
-# only system_server and dumpstate may find netd service
-neverallow { domain -system_server -dumpstate -netd } netd_service:service_manager find;
+# only system_server, dumpstate and network stack app may find netd service
+neverallow {
+    domain
+    -system_server
+    -dumpstate
+    -network_stack
+    -netd
+} netd_service:service_manager find;
 
 # only netd can create the bpf maps
 neverallow { domain -netd } netd:bpf { map_create };
 
 # apps may not interact with netd over binder.
-neverallow appdomain netd:binder call;
+neverallow { appdomain -network_stack } netd:binder call;
 neverallow netd { appdomain userdebug_or_eng(`-su') }:binder call;
 
 # persist.netd.stable_secret contains RFC 7217 secret key which should never be
diff --git a/public/network_stack.te b/public/network_stack.te
new file mode 100644
index 0000000000000000000000000000000000000000..feff66460325473e21eb00d3f06ff07308979e4d
--- /dev/null
+++ b/public/network_stack.te
@@ -0,0 +1,2 @@
+# Network stack service app
+type network_stack, domain;