diff --git a/private/compat/28.0/28.0.ignore.cil b/private/compat/28.0/28.0.ignore.cil
index eea3dd551..62679228e 100644
--- a/private/compat/28.0/28.0.ignore.cil
+++ b/private/compat/28.0/28.0.ignore.cil
@@ -99,6 +99,7 @@
     network_stack
     network_stack_service
     network_stack_tmpfs
+    nnapi_ext_deny_product_prop
     overlayfs_file
     password_slot_metadata_file
     permissionmgr_service
diff --git a/private/property_contexts b/private/property_contexts
index 3622d124f..c1f1228c5 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -191,3 +191,7 @@ bpf.progs_loaded        u:object_r:bpf_progs_loaded_prop:s0
 
 gsid.                   u:object_r:gsid_prop:s0
 ro.gsid.                u:object_r:gsid_prop:s0
+
+# Property for disabling NNAPI vendor extensions on product image (used on GSI /product image,
+# which can't use NNAPI vendor extensions).
+ro.nnapi.extensions.deny_on_product                u:object_r:nnapi_ext_deny_product_prop:s0
diff --git a/public/hal_neuralnetworks.te b/public/hal_neuralnetworks.te
index 21374bc8b..c2549ff28 100644
--- a/public/hal_neuralnetworks.te
+++ b/public/hal_neuralnetworks.te
@@ -11,3 +11,11 @@ allow hal_neuralnetworks_server app_data_file:file { read write getattr map };
 
 # Allow NN HAL service to use a client-provided fd residing in /data/local/tmp/.
 allow hal_neuralnetworks_server shell_data_file:file { read write getattr map };
+
+# Allow NN HAL client to check the ro.nnapi.extensions.deny_on_product
+# property to determine whether to deny NNAPI extensions use for apps
+# on product partition (apps in GSI are not allowed to use NNAPI extensions).
+get_prop(hal_neuralnetworks_client, nnapi_ext_deny_product_prop);
+# This property is only expected to be found in /product/build.prop,
+# allow to be set only by init.
+neverallow { domain -init } nnapi_ext_deny_product_prop:property_service set;
diff --git a/public/property.te b/public/property.te
index 473baa2c0..12f042578 100644
--- a/public/property.te
+++ b/public/property.te
@@ -64,6 +64,7 @@ type net_dns_prop, property_type;
 type net_radio_prop, property_type, core_property_type;
 type netd_stable_secret_prop, property_type;
 type nfc_prop, property_type, core_property_type;
+type nnapi_ext_deny_product_prop, property_type;
 type overlay_prop, property_type;
 type pan_result_prop, property_type, core_property_type;
 type persist_debug_prop, property_type, core_property_type;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 5a3e918ec..de60312f4 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -206,6 +206,7 @@ not_compatible_property(`
       -last_boot_reason_prop
       -apexd_prop
       -gsid_prop
+      -nnapi_ext_deny_product_prop
     })
 ')