diff --git a/services/core/java/com/android/server/IpSecService.java b/services/core/java/com/android/server/IpSecService.java
index 60f1877d37..744ed25f16 100644
--- a/services/core/java/com/android/server/IpSecService.java
+++ b/services/core/java/com/android/server/IpSecService.java
@@ -1481,19 +1481,23 @@ public class IpSecService extends IIpSecService.Stub {
         }
     }
 
+    private static final String TUNNEL_OP = "STOPSHIP"; // = AppOpsManager.OP_MANAGE_IPSEC_TUNNELS;
+
     private void enforceTunnelPermissions(String callingPackage) {
         checkNotNull(callingPackage, "Null calling package cannot create IpSec tunnels");
-        switch (getAppOpsManager().noteOp(
-                    AppOpsManager.OP_MANAGE_IPSEC_TUNNELS,
-                    Binder.getCallingUid(), callingPackage)) {
-            case AppOpsManager.MODE_DEFAULT:
-                mContext.enforceCallingOrSelfPermission(
-                        android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
-                break;
-            case AppOpsManager.MODE_ALLOWED:
-                return;
-            default:
-                throw new SecurityException("Request to ignore AppOps for non-legacy API");
+        if (false) { // STOPSHIP if this line is present
+            switch (getAppOpsManager().noteOp(
+                        TUNNEL_OP,
+                        Binder.getCallingUid(), callingPackage)) {
+                case AppOpsManager.MODE_DEFAULT:
+                    mContext.enforceCallingOrSelfPermission(
+                            android.Manifest.permission.MANAGE_IPSEC_TUNNELS, "IpSecService");
+                    break;
+                case AppOpsManager.MODE_ALLOWED:
+                    return;
+                default:
+                    throw new SecurityException("Request to ignore AppOps for non-legacy API");
+            }
         }
     }