diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index c1f9a2b..46b49c2 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -112,8 +112,35 @@
 # No untrusted component should be touching /dev/fuse
 neverallow all_untrusted_apps fuse_device:chr_file *;
 
-# Do not allow untrusted apps to directly open tun_device
-neverallow all_untrusted_apps tun_device:chr_file open;
+# Do not allow untrusted apps to directly open or
+# issue ioctls to the tun_device
+neverallow all_untrusted_apps tun_device:chr_file { open ioctl };
+# Additionally, assert that the following ioctls are never reachable.
+# This should already be blocked by the neverallow rule above, but this
+# is added for robustness, and to prove equivalence to the kernel patch at
+# https://android.googlesource.com/kernel/common/+/11cee2be0c2062ba88f04eb51196506f870a3b5d%5E%21
+neverallowxperm all_untrusted_apps tun_device:chr_file ioctl {
+  SIOCGIFHWADDR
+  SIOCSIFHWADDR
+  TUNATTACHFILTER
+  TUNDETACHFILTER
+  TUNGETFEATURES
+  TUNGETFILTER
+  TUNGETSNDBUF
+  TUNGETVNETHDRSZ
+  TUNSETDEBUG
+  TUNSETGROUP
+  TUNSETIFF
+  TUNSETLINK
+  TUNSETNOCSUM
+  TUNSETOFFLOAD
+  TUNSETOWNER
+  TUNSETPERSIST
+  TUNSETQUEUE
+  TUNSETSNDBUF
+  TUNSETTXFILTER
+  TUNSETVNETHDRSZ
+};
 
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 neverallow all_untrusted_apps anr_data_file:file ~{ open append };