diff --git a/public/ephemeral_app.te b/public/ephemeral_app.te
index 481cfa5ce7fa6747b78a5519a0ed846f4f3dbd23..44572e184a3a9ca5c9dd44b77378dd674f68aec2 100644
--- a/public/ephemeral_app.te
+++ b/public/ephemeral_app.te
@@ -116,3 +116,7 @@ neverallow ephemeral_app gpu_device:chr_file execute;
 
 # access files in /sys with the default sysfs label
 neverallow ephemeral_app sysfs:file *;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/isolated_app.te b/public/isolated_app.te
index 007fc744b7d4b008234258099a299e0f0a972ec9..008e0e21067ac12f013c2cce64aacb829425d8c6 100644
--- a/public/isolated_app.te
+++ b/public/isolated_app.te
@@ -109,3 +109,7 @@ neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
 
 # Restrict the webview_zygote control socket.
 neverallow isolated_app webview_zygote_socket:sock_file write;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow isolated_app proc:file { no_rw_file_perms no_x_file_perms };
diff --git a/public/untrusted_app.te b/public/untrusted_app.te
index 9f62b77e9cbf8bb19f3115ca2e6fe339400d133f..16edf79458560ab7f83a08a4b6d3ad3ddb2f9217 100644
--- a/public/untrusted_app.te
+++ b/public/untrusted_app.te
@@ -193,3 +193,7 @@ neverallow untrusted_app tun_device:chr_file open;
 # Only allow appending to /data/anr/traces.txt (b/27853304, b/18340553)
 neverallow untrusted_app anr_data_file:file ~{ open append };
 neverallow untrusted_app anr_data_file:dir ~search;
+
+# Avoid reads from generically labeled /proc files
+# Create a more specific label if needed
+neverallow untrusted_app proc:file { no_rw_file_perms no_x_file_perms };