diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 50d4ee7be7c680ad8d92d6f70ad023eaa4bea580..ab4a49a7b512ec008bb9f0ddb4a6de8b4ecf8e09 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -6,9 +6,11 @@
( adbd_exec
bootloader_boot_reason_prop
broadcastradio_service
+ cgroup_bpf
crossprofileapps_service
e2fs
e2fs_exec
+ fs_bpf
hal_broadcastradio_hwservice
hal_cas_hwservice
hal_lowpan_hwservice
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e0cafa48b94a11dfd6df0846fea820d5ef17f99a..c07cd4c3ba731c08f130160c73b25c0cb1a5e1bb 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -84,6 +84,7 @@ genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
+genfscon cgroup2 / u:object_r:cgroup_bpf:s0
# sysfs labels can be set by userspace.
genfscon sysfs / u:object_r:sysfs:s0
genfscon sysfs /devices/system/cpu u:object_r:sysfs_devices_system_cpu:s0
@@ -173,3 +174,4 @@ genfscon pstore / u:object_r:pstorefs:s0
genfscon functionfs / u:object_r:functionfs:s0
genfscon usbfs / u:object_r:usbfs:s0
genfscon binfmt_misc / u:object_r:binfmt_miscfs:s0
+genfscon bpf / u:object_r:fs_bpf:s0
diff --git a/public/file.te b/public/file.te
index e3ffa34e571eea50e390986d51172a0864a67790..cdaaf221ccf841e5dd6e9959944f5514cb30dcbb 100644
--- a/public/file.te
+++ b/public/file.te
@@ -60,6 +60,7 @@ type proc_vmallocinfo, fs_type;
type proc_zoneinfo, fs_type;
type selinuxfs, fs_type, mlstrustedobject;
type cgroup, fs_type, mlstrustedobject;
+type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
type sysfs_android_usb, fs_type, sysfs_type;
type sysfs_uio, sysfs_type, fs_type;
@@ -81,6 +82,7 @@ type sysfs_switch, fs_type, sysfs_type;
type sysfs_usb, sysfs_type, file_type, mlstrustedobject;
type sysfs_wakeup_reasons, fs_type, sysfs_type;
type sysfs_fs_ext4_features, sysfs_type, fs_type;
+type fs_bpf, fs_type, sysfs_type;
type configfs, fs_type;
# /sys/devices/system/cpu
type sysfs_devices_system_cpu, fs_type, sysfs_type;
@@ -364,6 +366,7 @@ type vndservice_contexts_file, file_type;
# Allow files to be created in their appropriate filesystems.
allow fs_type self:filesystem associate;
allow cgroup tmpfs:filesystem associate;
+allow cgroup_bpf tmpfs:filesystem associate;
allow sysfs_type sysfs:filesystem associate;
allow debugfs_type { debugfs debugfs_tracing }:filesystem associate;
allow file_type labeledfs:filesystem associate;
diff --git a/public/init.te b/public/init.te
index 450afd84e361a603c36414acb53130e2df5c5984..80e9e771051033638dc9ddf600ca93c10772666c 100644
--- a/public/init.te
+++ b/public/init.te
@@ -69,6 +69,10 @@ allow init self:global_capability_class_set sys_admin;
# Create and mount on directories in /.
allow init rootfs:dir create_dir_perms;
allow init { rootfs cache_file cgroup storage_file system_data_file system_file vendor_file postinstall_mnt_dir }:dir mounton;
+allow init cgroup_bpf:dir { create mounton };
+
+# Mount bpf fs on sys/fs/bpf
+allow init fs_bpf:dir mounton;
# Mount on /dev/usb-ffs/adb.
allow init device:dir mounton;
diff --git a/public/netd.te b/public/netd.te
index fa03dbdb64994ff0e41f77caffc5bb15e2bd660d..ec18113d477a2415df11d46881cd50f69a9da6a4 100644
--- a/public/netd.te
+++ b/public/netd.te
@@ -7,6 +7,7 @@ net_domain(netd)
allowxperm netd self:udp_socket ioctl priv_sock_ioctls;
r_dir_file(netd, cgroup)
+r_dir_file(netd, cgroup_bpf)
allow netd system_server:fd use;
allow netd self:global_capability_class_set { net_admin net_raw kill };
@@ -57,6 +58,9 @@ allow netd sysfs_net:file w_file_perms;
# TODO: added to match above sysfs rule. Remove me?
allow netd sysfs_usb:file write;
+allow netd fs_bpf:dir create_dir_perms;
+allow netd fs_bpf:file create_file_perms;
+
# TODO: netd previously thought it needed these permissions to do WiFi related
# work. However, after all the WiFi stuff is gone, we still need them.
# Why?