diff --git a/private/drmserver.te b/private/drmserver.te
index 45663bbe1f8dff7116edca57d613c148007d501a..afe4f0aae833466a1cdb72d354e3d50649832920 100644
--- a/private/drmserver.te
+++ b/private/drmserver.te
@@ -3,3 +3,5 @@ typeattribute drmserver coredomain;
 init_daemon_domain(drmserver)
 
 type_transition drmserver apk_data_file:sock_file drmserver_socket;
+
+typeattribute drmserver_socket coredomain_socket;
diff --git a/private/system_server.te b/private/system_server.te
index ddeeb1b97bd1d72f214fc5ae1f7948709d707255..a731f5a48dc2a78790e83858ec3b7142e61a7589 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -190,6 +190,12 @@ hal_client_domain(system_server, hal_vibrator)
 binder_call(system_server, hal_vr)
 hal_client_domain(system_server, hal_vr)
 hal_client_domain(system_server, hal_wifi)
+
+# TODO(b/34274385): Remove this once Wi-Fi Supplicant HAL is guaranteed to be binderized on full
+# Treble devices. Passthrough Wi-Fi Supplicant HAL makes system_server touch wpa_socket which is a
+# vendor type. system_server, being a non-vendor component, is not permitted to touch that socket.
+typeattribute system_server socket_between_core_and_vendor_violators;
+
 hal_client_domain(system_server, hal_wifi_supplicant)
 
 # Talk to tombstoned to get ANR traces.
diff --git a/private/wificond.te b/private/wificond.te
index 5476e33858dc85e21afeeec385417fb51d03bde1..b9e48b2b50a234f0bb47a859e77d1af126024d15 100644
--- a/private/wificond.te
+++ b/private/wificond.te
@@ -1,3 +1,6 @@
 typeattribute wificond coredomain;
 
 init_daemon_domain(wificond)
+
+# TODO(b/36790991): Remove this once wificond is no longer permitted to touch wpa sockets
+typeattribute wificond socket_between_core_and_vendor_violators;
diff --git a/public/attributes b/public/attributes
index d9d123fd0843c98a57f6a7d32fede35c0aaf949a..9f42c9ab7caf03402474fe15b2fe0da66bbf28ad 100644
--- a/public/attributes
+++ b/public/attributes
@@ -124,6 +124,9 @@ attribute update_engine_common;
 # All core domains (as opposed to vendor/device-specific domains)
 attribute coredomain;
 
+# All socket devices owned by core domain components
+attribute coredomain_socket;
+
 # All vendor domains which violate the requirement of not using Binder
 # TODO(b/35870313): Remove this once there are no violations
 attribute binder_in_vendor_violators;
diff --git a/public/domain.te b/public/domain.te
index bd5cb895cdd8e83206fbd98dfaf71c4ff638061b..fc4db7e2b4fd312b3eae923a0e843ed459afa72a 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -554,6 +554,42 @@ full_treble_only(`
     -netdomain
     -socket_between_core_and_vendor_violators
   }, netd);
+
+  # Vendor domains are not permitted to initiate create/open sockets owned by core domains
+  neverallow {
+    domain
+    -coredomain
+    -appdomain # appdomain restrictions below
+    -socket_between_core_and_vendor_violators
+  } {
+    coredomain_socket
+    core_data_file_type
+    unlabeled # used only by core domains
+  }:sock_file ~{ append getattr ioctl read write };
+  neverallow {
+    appdomain
+    -coredomain
+  } {
+    coredomain_socket
+    unlabeled # used only by core domains
+    core_data_file_type
+    -app_data_file
+    -pdx_socket # used by VR layer
+  }:sock_file ~{ append getattr ioctl read write };
+
+  # Core domains are not permitted to create/open sockets owned by vendor domains
+  neverallow {
+    coredomain
+    -init
+    -ueventd
+    -socket_between_core_and_vendor_violators
+  } {
+    file_type
+    dev_type
+    -coredomain_socket
+    -core_data_file_type
+    -unlabeled
+  }:sock_file ~{ append getattr ioctl read write };
 ')
 
 # Only authorized processes should be writing to files in /data/dalvik-cache
diff --git a/public/file.te b/public/file.te
index d7a82bc6cdaddf6bbbe51b4c2bae8a21a93d9af7..1634e33616cfb061af18a3324613797dfd59f326 100644
--- a/public/file.te
+++ b/public/file.te
@@ -224,34 +224,34 @@ type fingerprintd_data_file, file_type, data_file_type, core_data_file_type;
 type app_fuse_file, file_type, data_file_type, core_data_file_type, mlstrustedobject;
 
 # Socket types
-type adbd_socket, file_type;
-type bluetooth_socket, file_type;
-type dnsproxyd_socket, file_type, mlstrustedobject;
-type dumpstate_socket, file_type;
-type fwmarkd_socket, file_type, mlstrustedobject;
-type lmkd_socket, file_type;
-type logd_socket, file_type, mlstrustedobject;
-type logdr_socket, file_type, mlstrustedobject;
-type logdw_socket, file_type, mlstrustedobject;
-type mdns_socket, file_type;
-type mdnsd_socket, file_type, mlstrustedobject;
-type misc_logd_file, file_type;
-type mtpd_socket, file_type;
-type netd_socket, file_type;
-type pdx_socket, file_type, mlstrustedobject;
-type property_socket, file_type, mlstrustedobject;
-type racoon_socket, file_type;
+type adbd_socket, file_type, coredomain_socket;
+type bluetooth_socket, file_type, coredomain_socket;
+type dnsproxyd_socket, file_type, coredomain_socket, mlstrustedobject;
+type dumpstate_socket, file_type, coredomain_socket;
+type fwmarkd_socket, file_type, coredomain_socket, mlstrustedobject;
+type lmkd_socket, file_type, coredomain_socket;
+type logd_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdr_socket, file_type, coredomain_socket, mlstrustedobject;
+type logdw_socket, file_type, coredomain_socket, mlstrustedobject;
+type mdns_socket, file_type, coredomain_socket;
+type mdnsd_socket, file_type, coredomain_socket, mlstrustedobject;
+type misc_logd_file, coredomain_socket, file_type;
+type mtpd_socket, file_type, coredomain_socket;
+type netd_socket, file_type, coredomain_socket;
+type pdx_socket, file_type, coredomain_socket, mlstrustedobject;
+type property_socket, file_type, coredomain_socket, mlstrustedobject;
+type racoon_socket, file_type, coredomain_socket;
 type rild_socket, file_type;
 type rild_debug_socket, file_type;
-type system_wpa_socket, file_type;
-type system_ndebug_socket, file_type, mlstrustedobject;
-type tombstoned_crash_socket, file_type, mlstrustedobject;
-type tombstoned_intercept_socket, file_type;
-type uncrypt_socket, file_type;
-type vold_socket, file_type;
-type webview_zygote_socket, file_type;
+type system_wpa_socket, file_type, coredomain_socket;
+type system_ndebug_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_crash_socket, file_type, coredomain_socket, mlstrustedobject;
+type tombstoned_intercept_socket, file_type, coredomain_socket;
+type uncrypt_socket, file_type, coredomain_socket;
+type vold_socket, file_type, coredomain_socket;
+type webview_zygote_socket, file_type, coredomain_socket;
 type wpa_socket, file_type;
-type zygote_socket, file_type;
+type zygote_socket, file_type, coredomain_socket;
 type sap_uim_socket, file_type;
 # UART (for GPS) control proc file
 type gps_control, file_type;
diff --git a/vendor/hal_nfc_default.te b/vendor/hal_nfc_default.te
index eb2bd818e28311e611dd4cf11f601bf06afe1761..a906d977bc372a5406f072799ce729ca141e167e 100644
--- a/vendor/hal_nfc_default.te
+++ b/vendor/hal_nfc_default.te
@@ -5,5 +5,7 @@ type hal_nfc_default_exec, exec_type, file_type;
 init_daemon_domain(hal_nfc_default)
 
 # TODO (b/36645109) Remove hal_nfc's access to the nfc app's
-# data type. Remove coredata_in_vendor_violators attribute.
+# data type. Remove coredata_in_vendor_violators and
+# socket_between_core_and_vendor_violators attribute associations below.
 typeattribute hal_nfc_default coredata_in_vendor_violators;
+typeattribute hal_nfc_default socket_between_core_and_vendor_violators;