diff --git a/private/bluetooth.te b/private/bluetooth.te
index 628f9714c171c4de96a1fb64c0b81702f70c36d3..b0048aa982c71f69dc0217ab2de6ad17229c5e27 100644
--- a/private/bluetooth.te
+++ b/private/bluetooth.te
@@ -49,6 +49,7 @@ allow bluetooth surfaceflinger_service:service_manager find;
 allow bluetooth app_api_service:service_manager find;
 allow bluetooth system_api_service:service_manager find;
 
+# TODO(b/36613472): Remove this once bluetooth daemon does not communicate with rild over sockets
 # Bluetooth Sim Access Profile Socket to the RIL
 unix_socket_connect(bluetooth, sap_uim, rild)
 
diff --git a/private/tee.te b/private/tee.te
index 99f501e9f6e7c036e7f164b95591a0c4a97782e0..01a52def228c8c88bbeecda83bd395d8a7d84660 100644
--- a/private/tee.te
+++ b/private/tee.te
@@ -1,3 +1,7 @@
 typeattribute tee coredomain;
 
 init_daemon_domain(tee)
+
+# TODO(b/36601092, b/36601602): Remove this once Keymaster HAL and DRM HAL no longer communicate
+# with tee daemon over sockets or once the tee daemon is moved to vendor partition
+typeattribute tee socket_between_core_and_vendor_violators;
diff --git a/public/attributes b/public/attributes
index 00035abbae5a32094cb3a144481bf5fee4f8a196..bfd53a34a10d68f6a552f8a04b5b6b59f4fbe4c0 100644
--- a/public/attributes
+++ b/public/attributes
@@ -122,6 +122,11 @@ attribute coredomain;
 # TODO(b/35870313): Remove this once there are no violations
 attribute binder_in_vendor_violators;
 
+# All vendor domains which violate the requirement of not using sockets for
+# communicating with core components
+# TODO(b/36577153): Remove this once there are no violations
+attribute socket_between_core_and_vendor_violators;
+
 # All HAL servers
 attribute halserverdomain;
 # All HAL clients
diff --git a/public/domain.te b/public/domain.te
index 8a42336fb515da602f92da3f77c736b079b047e8..40ebb4dda9988f9f3e5dff644d633eccc02b7ac0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -441,6 +441,51 @@ full_treble_only(`
   } servicemanager:binder { call transfer };
 ')
 
+# On full TREBLE devices, socket communications between core components and vendor components are
+# not permitted.
+full_treble_only(`
+  # Most general rules first, more specific rules below.
+
+  # Core domains are not permitted to initiate communications to vendor domain sockets.
+  # We are not restricting the use of already established sockets because it is fine for a process
+  # to obtain an already established socket via some public/official/stable API and then exchange
+  # data with its peer over that socket. The wire format in this scenario is dicatated by the API
+  # and thus does not break the core-vendor separation.
+  neverallow_establish_socket_comms({
+    coredomain
+    -init
+    -adbd
+  }, {
+    domain
+    -coredomain
+    -socket_between_core_and_vendor_violators
+  });
+  # Vendor domains are not permitted to initiate communications to core domain sockets
+  neverallow_establish_socket_comms({
+    domain
+    -coredomain
+    -appdomain
+    -socket_between_core_and_vendor_violators
+  }, {
+    coredomain
+    -logd # Logging by writing to logd Unix domain socket is public API
+    -netd # netdomain needs this
+    -mdnsd # netdomain needs this
+    userdebug_or_eng(`-su') # communications with su are permitted only on userdebug or eng builds
+    -init
+    -incidentd # TODO(b/35870313): Remove incidentd from this list once vendor domains no longer declare Binder services
+    -tombstoned # TODO(b/36604251): Remove tombstoned from this list once mediacodec (OMX HAL) no longer declares Binder services
+  });
+
+  # Vendor domains (except netdomain) are not permitted to initiate communications to netd sockets
+  neverallow_establish_socket_comms({
+    domain
+    -coredomain
+    -netdomain
+    -socket_between_core_and_vendor_violators
+  }, netd);
+')
+
 # Only authorized processes should be writing to files in /data/dalvik-cache
 neverallow {
   domain
diff --git a/public/hal_keymaster.te b/public/hal_keymaster.te
index d50812c3972419fa19e0f3ca018feaf4e0aee596..5e66c8af4bd9ca7d3cf24c7d43e51d3844f0ce4d 100644
--- a/public/hal_keymaster.te
+++ b/public/hal_keymaster.te
@@ -2,6 +2,7 @@
 binder_call(hal_keymaster_client, hal_keymaster_server)
 
 allow hal_keymaster tee_device:chr_file rw_file_perms;
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
 allow hal_keymaster tee:unix_stream_socket connectto;
 
 allow hal_keymaster ion_device:chr_file r_file_perms;
diff --git a/public/neverallow_macros b/public/neverallow_macros
index b36cceb86cb7c6c090d346ef793ed8ffbe53172f..e2b6ed1af12264899c24eaf7e96e81e38fd8c2d7 100644
--- a/public/neverallow_macros
+++ b/public/neverallow_macros
@@ -4,3 +4,12 @@ define(`no_w_file_perms', `{ append create link unlink relabelfrom rename setatt
 define(`no_rw_file_perms', `{ no_w_file_perms open read ioctl lock }')
 define(`no_x_file_perms', `{ execute execute_no_trans }')
 define(`no_w_dir_perms',  `{ add_name create link relabelfrom remove_name rename reparent rmdir setattr write }')
+
+#####################################
+# neverallow_establish_socket_comms(src, dst)
+# neverallow src domain establishing socket connections to dst domain.
+#
+define(`neverallow_establish_socket_comms', `
+  neverallow $1 $2:socket_class_set { connect sendto };
+  neverallow $1 $2:unix_stream_socket connectto;
+')
diff --git a/public/radio.te b/public/radio.te
index a8966599b99e1c31f2359c1c147f112180997f37..8c3c6a5a35728c4ce5b15c90ac40bf40e1bd64ba 100644
--- a/public/radio.te
+++ b/public/radio.te
@@ -5,6 +5,7 @@ net_domain(radio)
 bluetooth_domain(radio)
 binder_service(radio)
 
+# TODO(b/36613472): Remove this once radio no longer communicates with rild over sockets.
 # Talks to rild via the rild socket.
 unix_socket_connect(radio, rild, rild)
 
diff --git a/vendor/hal_audio_default.te b/vendor/hal_audio_default.te
index 04ef7aa4b9fd455ea635540589c0c58dc54b95dd..d20063ffadb7c46b8c655ea3534fbbda65bb6265 100644
--- a/vendor/hal_audio_default.te
+++ b/vendor/hal_audio_default.te
@@ -5,3 +5,5 @@ type hal_audio_default_exec, exec_type, file_type;
 init_daemon_domain(hal_audio_default)
 
 hal_client_domain(hal_audio_default, hal_allocator)
+
+typeattribute hal_audio_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_drm_default.te b/vendor/hal_drm_default.te
index eba763aa864195f0e7433db13664efe64b42e4ab..77e66095e0c87bd4807d40197280dfd73b965a28 100644
--- a/vendor/hal_drm_default.te
+++ b/vendor/hal_drm_default.te
@@ -6,3 +6,6 @@ init_daemon_domain(hal_drm_default)
 
 allow hal_drm_default mediacodec:fd use;
 allow hal_drm_default { appdomain -isolated_app }:fd use;
+
+# TODO(b/36601602): Remove this once DRM HAL no longer uses Unix domain sockets to talk to tee daemon
+typeattribute hal_drm_default socket_between_core_and_vendor_violators;
diff --git a/vendor/hal_keymaster_default.te b/vendor/hal_keymaster_default.te
index 32df262abee79e3dfe35b22f328beb174a1886be..2fd5b44612e3c2762ee4ffbd865faa99128a1e16 100644
--- a/vendor/hal_keymaster_default.te
+++ b/vendor/hal_keymaster_default.te
@@ -3,3 +3,6 @@ hal_server_domain(hal_keymaster_default, hal_keymaster)
 
 type hal_keymaster_default_exec, exec_type, file_type;
 init_daemon_domain(hal_keymaster_default)
+
+# TODO(b/36601092): Remove this once Keymaster HAL no longer talks to tee domain over Unix domain sockets
+typeattribute hal_keymaster_default socket_between_core_and_vendor_violators;