diff --git a/isolated_app.te b/isolated_app.te
index 862592e2ba3249124b9359526c8102e0a1ea8e60..34fe41c65c81059f3979852dd2389783865ffdd1 100644
--- a/isolated_app.te
+++ b/isolated_app.te
@@ -39,6 +39,12 @@ neverallow isolated_app property_type:property_service set;
 # Isolated apps should not directly open app data files themselves.
 neverallow isolated_app app_data_file:file open;
 
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+# TODO: are there situations where isolated_apps write to this file?
+# TODO: should we tighten these restrictions further?
+neverallow isolated_app anr_data_file:file ~{ open append };
+neverallow isolated_app anr_data_file:dir ~search;
+
 # b/17487348
 # Isolated apps can only access two services,
 # activity_service and display_service
diff --git a/untrusted_app.te b/untrusted_app.te
index b05627a5e71a348cb24d2c324505fae4c09c3f15..47ccb554f5644b992d9987a0e5f11a3969cbd769 100644
--- a/untrusted_app.te
+++ b/untrusted_app.te
@@ -172,3 +172,7 @@ neverallow untrusted_app {
 
 # Do not allow untrusted_app to directly open tun_device
 neverallow untrusted_app tun_device:chr_file open;
+
+# Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
+neverallow untrusted_app anr_data_file:file ~{ open append };
+neverallow untrusted_app anr_data_file:dir ~search;