diff --git a/private/app.te b/private/app.te
index 28895a3faacae8da73f4edd3cd42fdb7501cc441..b3bb5165a695d4951db784aeefd511348cdc254a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -367,8 +367,10 @@ neverallow appdomain zygote_socket:sock_file write;
 # ptrace access to non-app domains.
 neverallow appdomain { domain -appdomain }:process ptrace;
 
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
 
 # signal access to non-app domains.
 # sigchld allowed for parent death notification.
diff --git a/public/te_macros b/public/te_macros
index 582cf3389f907c45f4ca2c154fe5f3347cf0ab7d..3efbe325ae24a8e67948dbb24f79c0d3c719c8a7 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 # Map with PROT_EXEC.
 allow $1 $1_tmpfs:file execute;
+neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
 ')
 
 #####################################