diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index ab080c29029f9de861dfe2969c47fc0f7f233188..79437bd8838777ac1f184120a70973a0d24c72ee 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -123,12 +123,10 @@ neverallow { all_untrusted_apps -mediaprovider } {
 # No untrusted component should be touching /dev/fuse
 neverallow all_untrusted_apps fuse_device:chr_file *;
 
-# Do not allow untrusted apps to directly open or
-# issue ioctls to the tun_device
-neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
-# Additionally, assert that the following ioctls are never reachable.
-# This should already be blocked by the neverallow rule above, but this
-# is added for robustness, and to prove equivalence to the kernel patch at
+# Do not allow untrusted apps to directly open the tun_device
+neverallow all_untrusted_apps tun_device:chr_file open;
+# The tun_device ioctls below are not allowed, to prove equivalence
+# to the kernel patch at
 # https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
 neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
   SIOCGIFHWADDR
diff --git a/public/app.te b/public/app.te
index 96b8c07f75b0f7063daa2de30a7e42b677614459..8b62967af03dfe49641802fbc1a48d9e31dbdcd2 100644
--- a/public/app.te
+++ b/public/app.te
@@ -337,7 +337,8 @@ allow appdomain runas_exec:file getattr;
 
 # Apps receive an open tun fd from the framework for
 # device traffic. Do not allow untrusted app to directly open tun_device
-allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append };
+allow { appdomain -isolated_app -ephemeral_app } tun_device:chr_file { read write getattr append ioctl };
+allowxperm { appdomain -isolated_app -ephemeral_app } tun_device:chr_file ioctl TUNGETIFF;
 
 # Connect to adbd and use a socket transferred from it.
 # This is used for e.g. adb backup/restore.