diff --git a/domain.te b/domain.te
index d7333c57f5a7a458be03059981ae962b4f6937da..5171fb32113c210d7aae63ed10fe6485050494a8 100644
--- a/domain.te
+++ b/domain.te
@@ -560,3 +560,8 @@ neverallow {
   -installd
   -profman
 } profman_exec:file no_x_file_perms;
+
+# Enforce restrictions on kernel module origin.
+# Do not allow kernel module loading except from system,
+# vendor, and boot partitions.
+neverallow * ~{ system_file rootfs }:system module_load;