diff --git a/public/domain.te b/public/domain.te
index 7c15ebc7201de570702dd01d5d77f4b438c4e6bd..c78af07560e63e224171011a832c20a4355b5644 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -171,6 +171,11 @@ allowxperm domain domain:{ rawip_socket tcp_socket udp_socket }
 allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
   ioctl unpriv_unix_sock_ioctls;
 
+# Restrict PTYs to only whitelisted ioctls.
+# Note that granting this whitelist to domain does
+# not grant the wider ioctl permission. That must be granted
+# separately.
+allowxperm domain devpts:chr_file ioctl unpriv_tty_ioctls;
 
 ###
 ### neverallow rules
@@ -179,6 +184,11 @@ allowxperm domain domain:{ unix_dgram_socket unix_stream_socket }
 # All socket ioctls must be restricted to a whitelist.
 neverallowxperm domain domain:socket_class_set ioctl { 0 };
 
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * devpts:chr_file ioctl TIOCSTI;
+
 # Do not allow any domain other than init or recovery to create unlabeled files.
 neverallow { domain -init -recovery } unlabeled:dir_file_class_set create;
 
diff --git a/public/ioctl_macros b/public/ioctl_macros
index 122e1f0df4cea814d944d5cb2d6198aa48d5e1dc..e8cc086834a17f3c8dd07632e167223c0e8e202e 100644
--- a/public/ioctl_macros
+++ b/public/ioctl_macros
@@ -42,10 +42,16 @@ SIOCIWFIRSTPRIV-SIOCIWLASTPRIV
 }')
 
 # commonly used ioctls on unix sockets
-define(`unpriv_unix_sock_ioctls', `{TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD }')
+define(`unpriv_unix_sock_ioctls', `{
+  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ FIONREAD
+}')
 
 # commonly used TTY ioctls
-define(`unpriv_tty_ioctls', `{ TIOCOUTQ FIOCLEX }')
+# merge with unpriv_unix_sock_ioctls?
+define(`unpriv_tty_ioctls', `{
+  TIOCOUTQ FIOCLEX TCGETS TIOCGWINSZ TIOCSWINSZ TIOCSCTTY TCSETSW TCFLSH
+  TIOCSPGRP TIOCGPGRP
+}')
 
 # point to point ioctls
 define(`ppp_ioctls', `{
diff --git a/public/te_macros b/public/te_macros
index df171f010002daffe3e17c0390b7c3163b8f4277..61f8d71743bb2956f9fa66d5e3764cbcc2330ffb 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -259,6 +259,11 @@ type $1_devpts, fs_type;
 type_transition $1 devpts:chr_file $1_devpts;
 # Allow use of the pty after creation.
 allow $1 $1_devpts:chr_file { open getattr read write ioctl };
+allowxperm $1 $1_devpts:chr_file ioctl unpriv_tty_ioctls;
+# TIOCSTI is only ever used for exploits. Block it.
+# b/33073072, b/7530569
+# http://www.openwall.com/lists/oss-security/2016/09/26/14
+neverallowxperm * $1_devpts:chr_file ioctl TIOCSTI;
 # Note: devpts:dir search and ptmx_device:chr_file rw_file_perms
 # allowed to everyone via domain.te.
 ')