diff --git a/domain.te b/domain.te
index f0201059e7eef9f5de8da308e1445af800b046a5..0e46d318e1b7ac82c9613db804f44e1738859169 100644
--- a/domain.te
+++ b/domain.te
@@ -545,3 +545,8 @@ neverallow {
   -ueventd
   -vold
 } fuse_device:chr_file *;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;