diff --git a/private/compat/26.0/26.0.cil b/private/compat/26.0/26.0.cil
index dd605969fb8547095a01fdc066e34b972e4efcdb..187712ec5008719981b488c1440a4d63d8283e59 100644
--- a/private/compat/26.0/26.0.cil
+++ b/private/compat/26.0/26.0.cil
@@ -504,7 +504,7 @@
 (typeattributeset proc_modules_26_0 (proc_modules))
 (typeattributeset proc_net_26_0
   ( proc_net
-    proc_net_vpn
+    proc_net_tcp_udp
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_26_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_26_0 (proc_perf))
diff --git a/private/compat/27.0/27.0.cil b/private/compat/27.0/27.0.cil
index 155cf4234b1a09fc7ea6740323d8081e395ecedc..f792f3eb5be546b42ae3718c69aa76e5972b9334 100644
--- a/private/compat/27.0/27.0.cil
+++ b/private/compat/27.0/27.0.cil
@@ -1218,7 +1218,7 @@
 (typeattributeset proc_modules_27_0 (proc_modules))
 (typeattributeset proc_net_27_0
   ( proc_net
-    proc_net_vpn
+    proc_net_tcp_udp
     proc_qtaguid_stat))
 (typeattributeset proc_overcommit_memory_27_0 (proc_overcommit_memory))
 (typeattributeset proc_perf_27_0 (proc_perf))
diff --git a/private/compat/28.0/28.0.cil b/private/compat/28.0/28.0.cil
index 5d47d23a724c4f0e1e962f8acf06528cb305f163..18f5b01a1ce6313447349526b47697c05f675a24 100644
--- a/private/compat/28.0/28.0.cil
+++ b/private/compat/28.0/28.0.cil
@@ -1399,7 +1399,7 @@
 (typeattributeset proc_mounts_28_0 (proc_mounts))
 (typeattributeset proc_net_28_0
   ( proc_net
-    proc_net_vpn))
+    proc_net_tcp_udp))
 (typeattributeset proc_overcommit_memory_28_0 (proc_overcommit_memory))
 (typeattributeset proc_page_cluster_28_0 (proc_page_cluster))
 (typeattributeset proc_pagetypeinfo_28_0 (proc_pagetypeinfo))
diff --git a/private/dumpstate.te b/private/dumpstate.te
index b3db3d4234b8df8c2254ea4808f43ff1f1615831..d1fbacccf74173797b4dcbe86483ed44c82513fe 100644
--- a/private/dumpstate.te
+++ b/private/dumpstate.te
@@ -42,3 +42,4 @@ allow dumpstate dev_type:blk_file getattr;
 allow dumpstate webview_zygote:process signal;
 dontaudit dumpstate perfprofd:binder call;
 dontaudit dumpstate update_engine:binder call;
+allow dumpstate proc_net_tcp_udp:file r_file_perms;
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 410e7c65d2ed29f9fe71eda83f28ee03a5ac9d7d..f87c08696499b6a20595ccedd2748e43f70cf24e 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -17,8 +17,8 @@ genfscon proc /misc u:object_r:proc_misc:s0
 genfscon proc /modules u:object_r:proc_modules:s0
 genfscon proc /mounts u:object_r:proc_mounts:s0
 genfscon proc /net u:object_r:proc_net:s0
-genfscon proc /net/tcp u:object_r:proc_net_vpn:s0
-genfscon proc /net/udp u:object_r:proc_net_vpn:s0
+genfscon proc /net/tcp u:object_r:proc_net_tcp_udp:s0
+genfscon proc /net/udp u:object_r:proc_net_tcp_udp:s0
 genfscon proc /net/xt_qtaguid/ctrl u:object_r:proc_qtaguid_ctrl:s0
 genfscon proc /net/xt_qtaguid/ u:object_r:proc_qtaguid_stat:s0
 genfscon proc /cpuinfo u:object_r:proc_cpuinfo:s0
diff --git a/private/shell.te b/private/shell.te
index 7b52a02efc1cbddbdbc4287c81032efc3c77be47..ee5b73cac2ae23b9286910d7aea04efebccb6487 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -57,3 +57,6 @@ binder_call(shell, bufferhubd);
 
 # Allow shell to use atrace HAL
 hal_client_domain(shell, hal_atrace)
+
+# For hostside tests such as CTS listening ports test.
+allow shell proc_net_tcp_udp:file r_file_perms;
diff --git a/public/app.te b/public/app.te
index 62a63cdf1f9822077bd25e4c20e7faaaab2cd7d8..5a8215211b23ad717200b7232208382b545ba870 100644
--- a/public/app.te
+++ b/public/app.te
@@ -577,3 +577,8 @@ neverallow appdomain proc_uid_concurrent_policy_time:file *;
 
 # Apps cannot access proc_uid_cpupower
 neverallow appdomain proc_uid_cpupower:file *;
+
+# Apps may not read /proc/net/{tcp,tcp6,udp,udp6}. These files leak information across the
+# application boundary. VPN apps may use the ConnectivityManager.getConnectionOwnerUid() API to
+# perform UID lookups.
+neverallow { appdomain -shell } proc_net_tcp_udp:file *;
diff --git a/public/file.te b/public/file.te
index e567a65602550b9fd8636679a07fb36dc80af745..755bb98e0818dc1fd7a3e9af1331aa37869f3f8b 100644
--- a/public/file.te
+++ b/public/file.te
@@ -36,7 +36,7 @@ type proc_misc, fs_type, proc_type;
 type proc_modules, fs_type, proc_type;
 type proc_mounts, fs_type, proc_type;
 type proc_net, fs_type, proc_type, proc_net_type;
-type proc_net_vpn, fs_type, proc_type, proc_net_type;
+type proc_net_tcp_udp, fs_type, proc_type;
 type proc_page_cluster, fs_type, proc_type;
 type proc_pagetypeinfo, fs_type, proc_type;
 type proc_panic, fs_type, proc_type;