Index: share/man/man4/tap.4
===================================================================
--- share/man/man4/tap.4	(revision 282829)
+++ share/man/man4/tap.4	(working copy)
@@ -118,12 +118,7 @@
 The Ethernet tunnel device, normally
 .Pa /dev/tap Ns Sy N ,
 is exclusive-open
-(it cannot be opened if it is already open)
-and is restricted to the super-user, unless the
-.Xr sysctl 8
-variable
-.Va net.link.tap.user_open
-is non-zero.
+(it cannot be opened if it is already open).
 If the
 .Xr sysctl 8
 variable
Index: sys/kern/kern_jail.c
===================================================================
--- sys/kern/kern_jail.c	(revision 282829)
+++ sys/kern/kern_jail.c	(working copy)
@@ -3724,7 +3724,6 @@
 	case PRIV_NET_BPF:
 	case PRIV_NET_RAW:		/* Dup, cond. in legacy jail case. */
 	case PRIV_NET_ROUTE:
-	case PRIV_NET_TAP:
 	case PRIV_NET_SETIFMTU:
 	case PRIV_NET_SETIFFLAGS:
 	case PRIV_NET_SETIFCAP:
Index: sys/net/if_tap.c
===================================================================
--- sys/net/if_tap.c	(revision 282829)
+++ sys/net/if_tap.c	(working copy)
@@ -153,7 +153,6 @@
  */
 static struct mtx		tapmtx;
 static int			tapdebug = 0;        /* debug flag   */
-static int			tapuopen = 0;        /* allow user open() */
 static int			tapuponopen = 0;    /* IFF_UP on open() */
 static int			tapdclone = 1;	/* enable devfs cloning */
 static SLIST_HEAD(, tap_softc)	taphead;             /* first device */
@@ -166,12 +165,10 @@
 SYSCTL_DECL(_net_link);
 static SYSCTL_NODE(_net_link, OID_AUTO, tap, CTLFLAG_RW, 0,
     "Ethernet tunnel software network interface");
-SYSCTL_INT(_net_link_tap, OID_AUTO, user_open, CTLFLAG_RW, &tapuopen, 0,
-	"Allow user to open /dev/tap (based on node permissions)");
 SYSCTL_INT(_net_link_tap, OID_AUTO, up_on_open, CTLFLAG_RW, &tapuponopen, 0,
 	"Bring interface up when /dev/tap is opened");
 SYSCTL_INT(_net_link_tap, OID_AUTO, devfs_cloning, CTLFLAG_RWTUN, &tapdclone, 0,
-	"Enably legacy devfs interface creation");
+	"Enable legacy devfs interface creation");
 SYSCTL_INT(_net_link_tap, OID_AUTO, debug, CTLFLAG_RW, &tapdebug, 0, "");
 
 DEV_MODULE(if_tap, tapmodevent, NULL);
@@ -345,8 +342,7 @@
 	if (*dev != NULL)
 		return;
 
-	if (!tapdclone ||
-	    (!tapuopen && priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0))
+	if (!tapdclone || priv_check_cred(cred, PRIV_NET_IFCREATE, 0) != 0)
 		return;
 
 	unit = 0;
@@ -477,14 +473,7 @@
 {
 	struct tap_softc	*tp = NULL;
 	struct ifnet		*ifp = NULL;
-	int			 error;
 
-	if (tapuopen == 0) {
-		error = priv_check(td, PRIV_NET_TAP);
-		if (error)
-			return (error);
-	}
-
 	if ((dev2unit(dev) & CLONE_UNITMASK) > TAPMAXUNIT)
 		return (ENXIO);
 
Index: sys/sys/priv.h
===================================================================
--- sys/sys/priv.h	(revision 282829)
+++ sys/sys/priv.h	(working copy)
@@ -317,7 +317,6 @@
 #define	PRIV_NET_BPF		394	/* Monitor BPF. */
 #define	PRIV_NET_RAW		395	/* Open raw socket. */
 #define	PRIV_NET_ROUTE		396	/* Administer routing. */
-#define	PRIV_NET_TAP		397	/* Can open tap device. */
 #define	PRIV_NET_SETIFMTU	398	/* Set interface MTU. */
 #define	PRIV_NET_SETIFFLAGS	399	/* Set interface flags. */
 #define	PRIV_NET_SETIFCAP	400	/* Set interface capabilities. */