diff --git a/private/app.te b/private/app.te
index 030f1a587a0bb775bb58347eb4a804ad46578b77..00ee12a6d663a3fb1977ea7e38d45e3bacdd2f8a 100644
--- a/private/app.te
+++ b/private/app.te
@@ -402,8 +402,10 @@ neverallow appdomain zygote_socket:sock_file write;
 # ptrace access to non-app domains.
 neverallow appdomain { domain -appdomain }:process ptrace;
 
-# Write access to /proc/pid entries for any non-app domain.
-neverallow appdomain { domain -appdomain }:file write;
+# Read or write access to /proc/pid entries for any non-app domain.
+# A different form of hidepid=2 like protections
+neverallow appdomain { domain -appdomain }:file no_w_file_perms;
+neverallow { appdomain -shell } { domain -appdomain }:file no_rw_file_perms;
 
 # signal access to non-app domains.
 # sigchld allowed for parent death notification.
diff --git a/public/te_macros b/public/te_macros
index e58ee88d48c1b53c6157fa5b86127d47d3b202a5..6b41400b18cba4c893c204b3c7888cc57b17235b 100644
--- a/public/te_macros
+++ b/public/te_macros
@@ -172,6 +172,8 @@ typeattribute $1 appdomain;
 tmpfs_domain($1)
 # Map with PROT_EXEC.
 allow $1 $1_tmpfs:file execute;
+neverallow { $1 -shell } { domain -$1 }:file no_rw_file_perms;
+neverallow { appdomain -shell -$1 } $1:file no_rw_file_perms;
 ')
 
 #####################################